fwrs
Thu Mar 31 08:13:05 CST 2005
Thanks to everyone for your replies. This was not something I was choosing to
do but was being mandated as part of a web security audit/checklist. You know
Security...lock it down til it doesn't work. I will try to get them to
consider your suggestions as an alternative. Thanks again.
"David Wang [Msft]" wrote:
> Changing the logon account for those three services (IIS Admin, HTTP SSL,
> and WWW) is not supported. Please describe the reasons that you are trying
> to do this.
>
> Believe me, with IIS6 you do not need to change those user accounts from a
> security perspective because no user code runs in them. And any security
> audit that requires changing them is 100% wrong because from IIS
> perspective, you are simply misconfiguring the server and it should
> rightfully fail.
>
> All user code runs in w3wp.exe, whose process identity is 100% customizable
> and controllable by the user, and it should give you all the flexibility
> that you need. And in IIS5 Compatibility Mode, the security situation is
> not different than IIS5 on W2K (user code can run in LocalSystem on
> inetinfo.exe) -- but the goal is compatibility. If you want security, use
> the IIS6 Process Model.
>
> But in no case should you think about changing the logon account and then
> expect things to magically work.
>
> A very common misconception is that if an identity has all privileges (or if
> you enable anonymous access), that all requests/actions should NEVER get
> access denied (that's what the exit code of "5" means). Clearly, that is
> false, because if an identity never had any ACL on the resource to begin
> with, or if the resource has a deny ACL for that identity, the identity will
> not be allowed to access the resource, period. No matter the privileges held
> by the identity. There is no privilege that says "the user never gets access
> denied". There is a privilege that says the user can change any ACL.
>
> In other words, System Administrators can get access denied. What is special
> about administrators is that they have the power to CHANGE an ACL, so they
> may be initially denied access, but they can later change the ACL such that
> they are allowed access.
>
> --
> //David
> IIS
>
http://blogs.msdn.com/David.Wang
> This posting is provided "AS IS" with no warranties, and confers no rights.
> //
> "fwrs" <fwrs@discussions.microsoft.com> wrote in message
> news:A7ABAF84-8AE9-4101-A38C-A23CFAE2D5B9@microsoft.com...
> Within IIS 6, I am trying to change the Logon account for all of the IIS
> services (IIS Admin, HTTP SSL, and WWW) from the Local System account to a
> custom account in the Administrators group. Whenever I try to start IIS
> Admin, the service terminates with an error in the Event Log: "Access is
> Denied". When I set the Logon account back to the Local System account,
> services start.
>
> The Administrators group has the required permissions on inetinfo.exe and
> the system32 and inetsrv directories. In the Local Security Policy, I've
> tried giving the Administrators group the "replace a process level token"
> and
> "adjust memory quotas for a process" rights (Administrators group has most
> rights already).
>
> After researching on Microsoft's site, I ran the command line below:
> sc query IISADMIN
> It showed that the STATE was "STOPPED" and the WIN32_EXIT_CODE was 5.
>
> Does anyone have any ideas?
>
>
>