iis security: I accidentally posted the following message in the ASP newsgroup, so I
thought I would post it here as it probably belongs in this group
instead.

I have what I think is a simple question but I am finding nothing but
complicated answers.

I have a web site running on IIS6. One directory used to use an
alternate account as the anonymous user (not the IUSR_ServerName
account) to connect to a database, etc. Now the pages in that
directory no longer do anything special and I just want to start using
the default IUSR_ServerName account again. I put that account back in,
but what do I put in as the password? I am reading all about security
improvements, network service vs. local system, unprivileged vs.
priveleged, etc. I realize there is no longer a "Let IIS control
password for anonymous account" option, but all I want to know is, HOW
DO YOU GET IT BACK TO THE DEFAULT???

Ok, I have figured this out - it may not be the bast way, so feel free
to comment. I downloaded the IIS Metabase Explorer (included in the
IIS6.0 resource kit from microsoft.com -
http://www.microsoft.com/downloads/details.aspx?FamilyID=56fc92ee-a71...)
Using metabase explorer, I navigated to (servername) -> LM -> W3SVC and
found the property AnonymousUserPass. By default, it doesn't display
secured data, so you have to select View -> Secure Data. Because I
didn't want to reconfigure all of my sites, I didn't want to change
this password, so I copied it and pasted it into IIS where you set the
anonymous account and password for the directory in question. Voila,
everything was happy (without restarting IIS - see
EnableEditWhileRunning property).

This seems silly to me for a couple of reasons. First, every document
I found said you have two options to fix this - enable
sub-authentication and run the directory as LocalSystem (effectively
disabling much of the security enhancements of IIS6.0), or edit the
metabase and change the password to a value know by you. The former
option is a complicated and unnecessary solution to a simple problem.
The latter option would require you to reset the password in IIS on
every site (and every folder in every site using a different
authentication method or account than the main site). Why didn't I
ever find a document that described what I did, which seems to me to be
the easiest way to just get back to the default?!

Another concern is that the password is stored in the metabase in plain
text. (Oh, but that's ok, because no hacker could ever figure out
using metabase explorer and figure out the option of view -> secure
data.?!?!?) Now I know that the IUSR account should have virtually no
privileges other than to read websites, but still, the concept of
storing an account's password in plain text is always disconcerting.

Another concern is the ability to take down every single website on
your server using anonymous access by editing your metabase and
changing the AnonymousUserPass property. Sounds like a hacker's dream
come true to me (granted, if they had access to your metabase, there's
probably lots worse things they could do...)

Please correct me in my assumptions if I am incorrect in anything I
have said - I am moving from IIS5 to IIS6, so I'm still learning the
ins and outs of IIS6.

[quoted text, click to view]
:
: This seems silly to me for a couple of reasons. First, every document
: I found said you have two options to fix this - enable
: sub-authentication and run the directory as LocalSystem (effectively
: disabling much of the security enhancements of IIS6.0), or edit the
: metabase and change the password to a value know by you. The former
: option is a complicated and unnecessary solution to a simple problem.
: The latter option would require you to reset the password in IIS on
: every site (and every folder in every site using a different
: authentication method or account than the main site). Why didn't I
: ever find a document that described what I did, which seems to me to be
: the easiest way to just get back to the default?!

Usually, the other situations apply when you no longer have access to the
original password (e.g. you changed it for all nodes within the metabase).
At that point in time, you can no longer find it in the metabase. So, either
you need to enable SubAuthentication (which allows IIS to control both the
password in the metabase *and* the local Windows Security Accounts Manager
(SAM) database -or- set the IUSR password in the SAM and then manually set
it in the metabase).

In your case you were lucky that you were able to find the previous IUSR
password defined elsewhere in your metabase, and recover it that way.

: Another concern is that the password is stored in the metabase in plain
: text. (Oh, but that's ok, because no hacker could ever figure out
: using metabase explorer and figure out the option of view -> secure
: data.?!?!?)

It's encrypted in the metabase using the current Windows installation's
machineKey. You can see this if you open the metabase.xml file in
notepad.exe or similar. Find the node that says "AnonymousUserPass" and you
will see that there is no plain-text password stored there.

: Another concern is the ability to take down every single website on
: your server using anonymous access by editing your metabase and
: changing the AnonymousUserPass property. Sounds like a hacker's dream
: come true to me (granted, if they had access to your metabase, there's
: probably lots worse things they could do...)

The relevant key is ACLed (i.e. there are Access Control Entries) which
prevent most users (e.g. LocalSystem and Administrators) from changing the
value. If you are an administrator on the system, you could do far worse to
the system than change the IUSR password!

Cheers
Ken