iis security: Hello,

I have a server 2003 domain controller and 2 server 2003 web edition
webservers.
I would like to use a domain iusr and a domain iwam account which are on the
domain controller.
I can't figure out how to create these domain accounts, the iwam account on
the webserver is member of the IIS_WPG group which I can't find on the
domain controller.

I have a lot of questions and every help is very very welcome:

Is it possible to do this?
Is it wise to do this?
How do I create a domain iusr and iwam account?
What rights and policies do these accounts need to have?
Which directories must have these groups named in security?
How do I make the 2 webserver use the domain accounts?

Many thanks in advance

Emiel Kempen.

[quoted text, click to view]
The group is only on a W2k3 machine which has IIS installed (which
is not a wise choice for a domain controller, given a choice).
The domain accounts need membership in each group on the IIS machines
where their corresponding iusr/iwam now have membership. Also, you will
need to make sure they have the same user rights grants in group policy.

[quoted text, click to view]
yes

[quoted text, click to view]
depends
If you have a defined need for these accounts to be recognized
"off box", elsewhere in your network, then yes it is needed.
Otherwise, no, I do not feel it is wise in absence of a requirement.

[quoted text, click to view]
Like any other account, perhaps more restricted.
Two objectives: the accounts need all grants local on the IIS box(es)
that the IIS machine local accounts would have; and, the accounts
should be restricted so that all of their capabilities on the network are
understood (For example, is it really necessary that they be able to
access the server share where the employee handbook is stored ?
but is that not what happens if the accounts are in Domain Users?)

[quoted text, click to view]
above - all are found on the IIS box in the user rights and group
memberships
[quoted text, click to view]
you just set these as the accounts used by IIS in place of the iusr/iwam
but you must not let IIS manage the passwords.

[quoted text, click to view]

The following kb article details all the default permissions for IIS 6.
Just substitute the new domain accounts that you create anywhere that you
see IUSR and IWAM in this article. This should save you some time.
<http://support.microsoft.com/?id=812614>

Keep in mind that by default, in a clean installation of IIS the
application pools use the NETWORK SERVICE account and not IWAM. So, you
will have to configure each application pool in IIS to use your new IWAM
account. Generally speaking you can just add the new IWAM to the local
IIS_WPG groups on the IIS servers and that should take care of IWAM.

This kb article will also give you some directions for setting the iusr and
iwam accounts in the metabase. If you're running is IIS 5 Compatibility
Mode you will definitely have to also set the IWAM account in Component
Services. This article covers all these topics or points to the
appropriate resources.
<http://support.microsoft.com/?id=297989>

In addition to what Roger said, keep in mind that if you use one domain
account for both servers that this will mean that anything you do to this
account will impact both servers. So, if you reset the password on the
account you will have to also reset the passwords in the metabase for both
IIS servers. If the domain IUSR account is somehow locked out, both IIS
servers' anonymous access will be impacted.

HTH,

~Eric

This posting is provided "AS IS" with no warranties, and confers no rights.
You assume all risk for your use. © 2005 Microsoft Corporation. All rights
reserved.