| Groups | Blog | Home |
iis security : Cannot Get Anonymous Access to Work
anonymous access to work. We of course gave read access to the IUSR_<MachineName> account to all of the application's files under InetPub, but we are getting 401.3 errors indicating ACL problems. If we select the "Windows Authentication" checkbox in the Authentication settings dialog of IIS, then everything works. As soon as we deselect that option and leave only Anonymous access, then access breaks again with 401.3. We did follow the suggested guidelines in the Microsoft Knowledgebase for both user rights and file system permissions for the IIS users. -- Will
If you get 401.3, then IUSR does not have access to the accessed
resource. If it seems mysterious, remember that anonymous access works with default IIS6 setup, so your problem is likely due to some machine- specific user misconfiguration. You have the unfortunate task of figuring out what was intentionally broken on your server. Use File Monitor from sysinternals.com to see what file IUSR is being denied access to. I would also open up secpol.msc and compare against a clean OS installation to see if anything has been misconfigured/locked down. //David http://w3-4u.blogspot.com http://blogs.msdn.com/David.Wang // [quoted text, click to view] On Apr 18, 5:23 pm, "Will" <westes-...@noemail.nospam> wrote: > I'm setting up an IIS 6.0 public server, and I've run into problems getting > anonymous access to work. We of course gave read access to the > IUSR_<MachineName> account to all of the application's files under InetPub, > but we are getting 401.3 errors indicating ACL problems. > > If we select the "Windows Authentication" checkbox in the Authentication > settings dialog of IIS, then everything works. As soon as we deselect that > option and leave only Anonymous access, then access breaks again with 401.3. > > We did follow the suggested guidelines in the Microsoft Knowledgebase for > both user rights and file system permissions for the IIS users. > > -- > Will
Will,
Did you take action to effectively remove the Iusr_ or AppPool accounts from (effective, as via Auth U or Interactive) Users? Roger [quoted text, click to view] "Will" <westes-usc@noemail.nospam> wrote in message news:zoydnR-OU5wSK7vbnZ2dnUVZ_rWnnZ2d@giganews.com... > I'm setting up an IIS 6.0 public server, and I've run into problems > getting anonymous access to work. We of course gave read access to the > IUSR_<MachineName> account to all of the application's files under > InetPub, but we are getting 401.3 errors indicating ACL problems. > > If we select the "Windows Authentication" checkbox in the Authentication > settings dialog of IIS, then everything works. As soon as we deselect > that option and leave only Anonymous access, then access breaks again with > 401.3. > > We did follow the suggested guidelines in the Microsoft Knowledgebase for > both user rights and file system permissions for the IIS users. > > -- > Will >
We have explicit grants on the IUSR_ account in the application directory
under InetPub. We also validated the user security policy and file system permissions against those recommended for IIS 6.0 on the Microsoft Knowledgebase. I don't recognize any account or group name that is for an "AppPool". Can you elaborate on that? -- Will [quoted text, click to view] "Roger Abell [MVP]" <mvpNoSpam@asu.edu> wrote in message news:OkkirRogHHA.284@TK2MSFTNGP05.phx.gbl... > Will, > > Did you take action to effectively remove the Iusr_ or AppPool > accounts from (effective, as via Auth U or Interactive) Users? > > Roger > > "Will" <westes-usc@noemail.nospam> wrote in message > news:zoydnR-OU5wSK7vbnZ2dnUVZ_rWnnZ2d@giganews.com... >> I'm setting up an IIS 6.0 public server, and I've run into problems >> getting anonymous access to work. We of course gave read access to the >> IUSR_<MachineName> account to all of the application's files under >> InetPub, but we are getting 401.3 errors indicating ACL problems. >> >> If we select the "Windows Authentication" checkbox in the Authentication >> settings dialog of IIS, then everything works. As soon as we deselect >> that option and leave only Anonymous access, then access breaks again >> with 401.3. >> >> We did follow the suggested guidelines in the Microsoft Knowledgebase for >> both user rights and file system permissions for the IIS users. >> >> -- >> Will
[quoted text, click to view]
"Roger Abell [MVP]" <mvpNoSpam@asu.edu> wrote in message news:OkkirRogHHA.284@TK2MSFTNGP05.phx.gbl... > Did you take action to effectively remove the Iusr_ or AppPool > accounts from (effective, as via Auth U or Interactive) Users? I read more about the application process pools and somehow overcame the extremely obscure configuration interface for this Microsoft chose. At least I see the intent to associate an application to an application pool, and then run the pool in a separate process with an impersonated user context. We were using the default of Network Service, and we gave that user an explicit grant to the content. I asked the developer to try switching to the IWAM_Machine user context and give that user explicit grants on content directories. No change (or so he claims). I would like to better understand your comment that the AppPool account needs to be in the Users group. That could well be our problem. As you know we do remove Auth Users and Interactive from the local Users group. Leave Auth Users when running IIS? -- Will
[quoted text, click to view]
On Apr 19, 10:13 pm, "Will" <westes-...@noemail.nospam> wrote: > "Roger Abell [MVP]" <mvpNoS...@asu.edu> wrote in messagenews:OkkirRogHHA.284@TK2MSFTNGP05.phx.gbl... > > > Did you take action to effectively remove the Iusr_ or AppPool > > accounts from (effective, as via Auth U or Interactive) Users? > > I read more about the application process pools and somehow overcame the > extremely obscure configuration interface for this Microsoft chose. At > least I see the intent to associate an application to an application pool, > and then run the pool in a separate process with an impersonated user > context. > > We were using the default of Network Service, and we gave that user an > explicit grant to the content. I asked the developer to try switching to > the IWAM_Machine user context and give that user explicit grants on content > directories. No change (or so he claims). > > I would like to better understand your comment that the AppPool account > needs to be in the Users group. That could well be our problem. > > As you know we do remove Auth Users and Interactive from the local Users > group. Leave Auth Users when running IIS? > > -- > Will Since you are reading the documentation... What exactly seems obscure to you? The Application Pool Configurable Identity? Or something else? Unfortunately, the following point is misunderstood by about 99% of users, and I am not certain how to make it clear. The configurable Application Pool identity has no control over the identity used to execute code in the Application Pool. Contrary to popular belief, It merely controls the process identity (NOT impersonated identity), which is not necessarily the same as the identity used to execute code. http://blogs.msdn.com/david.wang/archive/2005/06/29/IIS_User_Identity_to_Run_Code_Part_2.aspx Now, you should give IIS_WPG (the group which all Application Pool Identities belong to) List control, along with Read access to the actual identity executing the URL, on the resource. Just ACLs for the user is insufficient because in some instances IIS will end up [inadvertently] probing the file resource with the process identity (which should be in the IIS_WPG group) prior to actually accessing it with the impersonated identity. I still think it may be easier to run File Monitor to see exactly what user is getting access denied to which resource and use it as a clue. //David http://w3-4u.blogspot.com http://blogs.msdn.com/David.Wang //
In my experience the accounts must be Users, but that is not
documented in detail as apparently MS assumes no one in the world would think to remove Authenticated Users and Interactive (which is likely the missing part for you) from Users on their machines. Since, like yourself, I routinely do remove these from Users, and since local groups cannot be nested (hence one cannot add IIS_WPG to Users) I now follow practice of making sure all local accounts are Users if they will have local login activities (login type 2). Roger [quoted text, click to view] "Will" <westes-usc@noemail.nospam> wrote in message news:jKqdnRMs_dmc0bXbnZ2dneKdnZydnZ2d@giganews.com... > "Roger Abell [MVP]" <mvpNoSpam@asu.edu> wrote in message > news:OkkirRogHHA.284@TK2MSFTNGP05.phx.gbl... >> Did you take action to effectively remove the Iusr_ or AppPool >> accounts from (effective, as via Auth U or Interactive) Users? > > I read more about the application process pools and somehow overcame the > extremely obscure configuration interface for this Microsoft chose. At > least I see the intent to associate an application to an application pool, > and then run the pool in a separate process with an impersonated user > context. > > We were using the default of Network Service, and we gave that user an > explicit grant to the content. I asked the developer to try switching to > the IWAM_Machine user context and give that user explicit grants on > content directories. No change (or so he claims). > > I would like to better understand your comment that the AppPool account > needs to be in the Users group. That could well be our problem. > > As you know we do remove Auth Users and Interactive from the local Users > group. Leave Auth Users when running IIS? > > -- > Will > > >
I tend to think that when one alters group membership or login type
that all bets are off. The nice thing would have been if IIS6 documentation specified the minimal set of required privileges/permissions for each activity so that one can deconstruct the OS and its user groups all the way down and then custom rebuild it. However, it is not documented in such detail because we honestly do not know - the product was not designed that way. Most products on Windows are not designed that way. The point is not that "apparently MS assumes no one in the world would think to remove Authenticated Users and Interactive..." -- reality is that MS most likely assumed and took most of those into consideration, but due to costs (time/people) constraints, they are not covered... especially if the option is not mainstream. In the case of customized user privileges/permissions, the set of users not caring about this information vastly outweigh the set of users who want this information, to the point that it is a very tiny minority for which an on-demand investigation is more appropriate and cost-effective. MS assumes that if you wanted this information, you would ask; but obviously, that is not your assumption. Just pointing this out... //David http://w3-4u.blogspot.com http://blogs.msdn.com/David.Wang // [quoted text, click to view] On Apr 20, 4:24 am, "Roger Abell [MVP]" <mvpNoS...@asu.edu> wrote: > In my experience the accounts must be Users, but that is not > documented in detail as apparently MS assumes no one in > the world would think to remove Authenticated Users and > Interactive (which is likely the missing part for you) from > Users on their machines. Since, like yourself, I routinely > do remove these from Users, and since local groups cannot > be nested (hence one cannot add IIS_WPG to Users) I now > follow practice of making sure all local accounts are Users > if they will have local login activities (login type 2). > > Roger > > "Will" <westes-...@noemail.nospam> wrote in message > > news:jKqdnRMs_dmc0bXbnZ2dneKdnZydnZ2d@giganews.com... > > > > > "Roger Abell [MVP]" <mvpNoS...@asu.edu> wrote in message > >news:OkkirRogHHA.284@TK2MSFTNGP05.phx.gbl... > >> Did you take action to effectively remove the Iusr_ or AppPool > >> accounts from (effective, as via Auth U or Interactive) Users? > > > I read more about the application process pools and somehow overcame the > > extremely obscure configuration interface for this Microsoft chose. At > > least I see the intent to associate an application to an application pool, > > and then run the pool in a separate process with an impersonated user > > context. > > > We were using the default of Network Service, and we gave that user an > > explicit grant to the content. I asked the developer to try switching to > > the IWAM_Machine user context and give that user explicit grants on > > content directories. No change (or so he claims). > > > I would like to better understand your comment that the AppPool account > > needs to be in the Users group. That could well be our problem. > > > As you know we do remove Auth Users and Interactive from the local Users > > group. Leave Auth Users when running IIS? > > > -- > > Will- Hide quoted text - > > - Show quoted text -
[quoted text, click to view]
"David Wang" <w3.4you@gmail.com> wrote in message news:1177097864.952427.5430@n76g2000hsh.googlegroups.com... > In the case of customized user privileges/permissions, the set of > users not caring about this information vastly outweigh the set of > users who want this information, to the point that it is a very tiny > minority for which an on-demand investigation is more appropriate and > cost-effective. I think that this is a very perceptive and very true statement. And from what I have seen I would go a step further and say that most users don't care when they are hacked, when their networks are overloaded with trojans and viruses, and most are even worse just blind to the activity entirely. They assume if they can get past the login prompt and start the application it is business as usual, no harm done. They only care when the result of the hack is denial of service at which point they cannot ignore the side effect of the intrusion. Anything subverted and hidden they absolutely tolerate and do not care about. To me it is incredible, but I cannot deny the observation that others do not share my concern about such things. It's also clear that to secure a Microsoft network requires an almost superhuman willpower to overcome obstacles at every stage: users do not care; management does not care; Microsoft does not care about solving the problem retroactively except by patching the default config. No documentation to do anything past defaults is usually available. Any attempt to self-cure the deficiencies results in mountains of catastrophic and subtle failures, each of which requires unbelievable amounts of time and personal initiative to overcome. I give Microsoft huge credit for its forward looking efforts, and the extraordinary efforts it is putting into re architecting future versions of Windows to better partition functionality, better secure individual components, and run services in protected security contexts that minimize the side effects of a buffer overload on a service. The legacy stuff however is worse than a living hell. So, yes, the price for stepping outside the box is high, and yes I agree with you not many people care about stepping outside the box. [quoted text, click to view] > MS assumes that if you wanted this information, you > would ask; but obviously, that is not your assumption. Just pointing > this out... I think it depends on who you are. If you are General Motors or Citibank, then no doubt you will get world class answers to any question. If you are Joe Nobody, you will get squat. :) I will however take my hat off to Microsoft's Shanghai support group, who have consistently exceeded my every expectation, and I don't give praise easily. -- Will
Hi David,
Interesting comments. I will just add that, once Interactive was added into Users (which as I understand it was initially in order to support local login by the Guest account, if it were enabled and allowed local login) we got into a situation where everything was tested with this. As a result, if one attempts to remove the broad access Users membership grants, many, many things break. This is most unfortunate, and it all started in order to support an end case (Guest enabled and allowed local login) that must be a less than 1% usage case. I am not sure you remember, but with IIS 4 one could define a custom group, make all of one's Iusr_ and Iwam_ accounts to be members only of that custom group (directly or indirectly) and IIS would still work just fine and server content for site using anonymous access (any level of process isolation). Those were the good days as far as effecting site content isolation on shared hosting IIS webservers at least in that particular aspect. I enjoyed your candidly sharing your point of view, once again. Roger [quoted text, click to view] "David Wang" <w3.4you@gmail.com> wrote in message news:1177097864.952427.5430@n76g2000hsh.googlegroups.com... >I tend to think that when one alters group membership or login type > that all bets are off. > > The nice thing would have been if IIS6 documentation specified the > minimal set of required privileges/permissions for each activity so > that one can deconstruct the OS and its user groups all the way down > and then custom rebuild it. > > However, it is not documented in such detail because we honestly do > not know - the product was not designed that way. Most products on > Windows are not designed that way. > > The point is not that "apparently MS assumes no one in the world would > think to remove Authenticated Users and Interactive..." -- reality is > that MS most likely assumed and took most of those into consideration, > but due to costs (time/people) constraints, they are not covered... > especially if the option is not mainstream. > > In the case of customized user privileges/permissions, the set of > users not caring about this information vastly outweigh the set of > users who want this information, to the point that it is a very tiny > minority for which an on-demand investigation is more appropriate and > cost-effective. MS assumes that if you wanted this information, you > would ask; but obviously, that is not your assumption. Just pointing > this out... > > > //David > http://w3-4u.blogspot.com > http://blogs.msdn.com/David.Wang > // > > > > > On Apr 20, 4:24 am, "Roger Abell [MVP]" <mvpNoS...@asu.edu> wrote: >> In my experience the accounts must be Users, but that is not >> documented in detail as apparently MS assumes no one in >> the world would think to remove Authenticated Users and >> Interactive (which is likely the missing part for you) from >> Users on their machines. Since, like yourself, I routinely >> do remove these from Users, and since local groups cannot >> be nested (hence one cannot add IIS_WPG to Users) I now >> follow practice of making sure all local accounts are Users >> if they will have local login activities (login type 2). >> >> Roger >> >> "Will" <westes-...@noemail.nospam> wrote in message >> >> news:jKqdnRMs_dmc0bXbnZ2dneKdnZydnZ2d@giganews.com... >> >> >> >> > "Roger Abell [MVP]" <mvpNoS...@asu.edu> wrote in message >> >news:OkkirRogHHA.284@TK2MSFTNGP05.phx.gbl... >> >> Did you take action to effectively remove the Iusr_ or AppPool >> >> accounts from (effective, as via Auth U or Interactive) Users? >> >> > I read more about the application process pools and somehow overcame >> > the >> > extremely obscure configuration interface for this Microsoft chose. >> > At >> > least I see the intent to associate an application to an application >> > pool, >> > and then run the pool in a separate process with an impersonated user >> > context. >> >> > We were using the default of Network Service, and we gave that user an >> > explicit grant to the content. I asked the developer to try switching >> > to >> > the IWAM_Machine user context and give that user explicit grants on >> > content directories. No change (or so he claims). >> >> > I would like to better understand your comment that the AppPool account >> > needs to be in the Users group. That could well be our problem. >> >> > As you know we do remove Auth Users and Interactive from the local >> > Users >> > group. Leave Auth Users when running IIS? >> >> > -- >> > Will- Hide quoted text - >> >> - Show quoted text - > >
[quoted text, click to view]
"Will" <westes-usc@noemail.nospam> wrote in message Some gentle, restrained understatement in there Will.news:e6qdnf6MZuhY2LTbnZ2dnUVZ_ompnZ2d@giganews.com... > "David Wang" <w3.4you@gmail.com> wrote in message > news:1177097864.952427.5430@n76g2000hsh.googlegroups.com... >> In the case of customized user privileges/permissions, the set of >> users not caring about this information vastly outweigh the set of >> users who want this information, to the point that it is a very tiny >> minority for which an on-demand investigation is more appropriate and >> cost-effective. > > I think that this is a very perceptive and very true statement. And from > what I have seen I would go a step further and say that most users don't > care when they are hacked, when their networks are overloaded with trojans > and viruses, and most are even worse just blind to the activity entirely. > They assume if they can get past the login prompt and start the > application it is business as usual, no harm done. They only care when > the result of the hack is denial of service at which point they cannot > ignore the side effect of the intrusion. Anything subverted and hidden > they absolutely tolerate and do not care about. To me it is incredible, > but I cannot deny the observation that others do not share my concern > about such things. > > It's also clear that to secure a Microsoft network requires an almost > superhuman willpower to overcome obstacles at every stage: users do not > care; management does not care; Microsoft does not care about solving the > problem retroactively except by patching the default config. No > documentation to do anything past defaults is usually available. Any > attempt to self-cure the deficiencies results in mountains of catastrophic > and subtle failures, each of which requires unbelievable amounts of time > and personal initiative to overcome. I give Microsoft huge credit for > its forward looking efforts, and the extraordinary efforts it is putting > into re architecting future versions of Windows to better partition > functionality, better secure individual components, and run services in > protected security contexts that minimize the side effects of a buffer > overload on a service. The legacy stuff however is worse than a living > hell. > > So, yes, the price for stepping outside the box is high, and yes I agree > with you not many people care about stepping outside the box. > > >> MS assumes that if you wanted this information, you >> would ask; but obviously, that is not your assumption. Just pointing >> this out... > > I think it depends on who you are. If you are General Motors or > Citibank, then no doubt you will get world class answers to any question. > If you are Joe Nobody, you will get squat. :) > > I will however take my hat off to Microsoft's Shanghai support group, who > have consistently exceeded my every expectation, and I don't give praise > easily. > > -- > Will > > I applaud you on the showing. Roger
Hi.
Nobody will help you. Becouse Micorosft are bad. I have installed iis6 and when i try to open php it give HTTP Error 401.3 - Unauthorized: Access is denied due to an ACL set on the requested resource. Internet Information Services (IIS) HTTP Error 401.5 - Unauthorized: Authorization failed by an ISAPI/CGI application. Internet Information Services (IIS) did you see Microsoft,are bad. This problems are from 2004 and again are coming. They only can give you information what is that,but they can't give you answers. SHAME MICROSOFT. That is it for now. Goodbye.
Don't see what you're looking for? Try a search.
|
June 2003
July 2003
August 2003
September 2003
October 2003
November 2003
December 2003
January 2004
February 2004
March 2004
April 2004
May 2004
June 2004
July 2004
August 2004
September 2004
October 2004
November 2004
December 2004
January 2005
February 2005
March 2005
April 2005
May 2005
June 2005
July 2005
August 2005
September 2005
October 2005
November 2005
December 2005
January 2006
February 2006
March 2006
April 2006
May 2006
June 2006
July 2006
August 2006
September 2006
October 2006
November 2006
December 2006
January 2007
February 2007
March 2007
April 2007
May 2007
June 2007
July 2007
August 2007
September 2007
October 2007
November 2007
December 2007
January 2008
February 2008
March 2008
April 2008
May 2008
June 2008
| home · blog · groups | Questions? Comments? Contact the dn |