Anonymous Users Have Same Access as Domain Users in IIS
Article ID: 147691
Article Last Modified on 6/23/2005
APPLIES TO
- Microsoft Internet Information Server 1.0
This article was previously published under Q147691
We strongly recommend that all users upgrade to Microsoft Internet Information Services (IIS) version 6.0 running on Microsoft Windows Server 2003. IIS 6.0 significantly increases Web infrastructure security. For more information about IIS security-related topics, visit the following Microsoft Web site:
SYMPTOMS
In Internet Information Server (IIS), you can allow only domain users to
access most of the web pages and anonymous users to access specific public
web pages using NTFS security permissions. However, you cannot do this if
the Internet Information Server is installed on a primary domain controller
(PDC).
CAUSE
In IIS, you can allow both anonymous and domain users to access the web
pages if you select "allow Anonymous" and "Windows NT Challenge/Response"
in WWW Service Properties. You can then use the NTFS security permissions
to specify access to the Web server contents. IIS creates a special account
called IUSR_<ComputerName> for anonymous logons. However, if you install
IIS on a PDC, the IUSR_<ComputerName> account becomes a member of Domain
Users. As a result, anonymous users have the same access as the Domain
Users.
RESOLUTION
To correct this problem, remove IUSR_<ComputerName> from Domain User
global group and add it to the Guest group using User Manager for Domains.
NOTE: Any user account that you create on a PDC automatically becomes a
member of the Domain Users group.
Additional query words: prodiis
Keywords: kbnetwork KB147691