David
Sat May 03 18:10:53 CDT 2008
On May 3, 6:58=A0am, "awrigh...@hotmail.com" <awrigh...@hotmail.com>
wrote:
> On May 2, 11:56=A0pm, David Wang <w3.4...@gmail.com> wrote:
>
>
>
>
>
> > On May 2, 4:48=A0am, "awrigh...@hotmail.com" <awrigh...@hotmail.com>
> > wrote:
>
> > > I have a Windows 2003 server that's just in a workgroup, no domain/ad,=
> > > etc. =A0I've applied a custom policy to the server, tweaking a variety=
> > > of rights and settings. =A0The policy takes, but after every reboot, t=
he
> > > IUSR, IWAM accounts and IIS_WPG group are automatically getting added
> > > back to a handful of "User Rights Assignment" permissions, such as
> > > "access this computer from the network", "log on locally", "log on as
> > > a batch job", among others. =A0This MS article documents that these ar=
e
> > > the default IIS permissions, but it seems as if after every reboot,
> > > they're being forced back on me. =A0My apps don't require all of these=
> > > permissions.
>
> > >
http://www.microsoft.com/mspress/books/sampchap/5804.aspx
>
> > > Any idea what could be going on and/or how I can keep these
> > > permissions from getting automatically re-added to my policy after a
> > > reboot? =A0Thanks.
>
> > > Steve
>
> > As LocalSystem, INETINFO.EXE is putting those default requirements
> > back, and there is no way to stop it. For every user like you which
> > ask about the permissions, there are dozens who expect the defaults to
> > be present and that they happen "automagically".
>
> > For every user who manage to create a tighter security policy that
> > works, there are hundreds, thousands, who create tighter security
> > policies that do not work, and they complain why IIS doesn't just make
> > itself "work". Some even ask "what are the minimal necessary rights",
> > not realizing that it is an intersection between IIS and their
> > application's needs -- and they don't even know the rights their
> > application's needs yet -- so they become surprised when their
> > application fails with "minimal rights" and once again complain how
> > IIS can let applications run when they can only fail.
>
> > I hope you start to see the picture and the problem -- most users
> > expect to know very little yet have the system automatically work to
> > their varied desires.
>
> > Unfortunately, IIS cannot read your mind and make all parties happy.
> > And before you ask -- no, adding yet another registry switch which
> > controls this default behavior is just yet one more switch for people
> > to misconfigure and shoot themselves.
>
> > //David
http://w3-4u.blogspot.comhttp://blogs.msdn.com/David.Wang
> > //- Hide quoted text -
>
> > - Show quoted text -
>
> What you're saying is completely consistent with what I'm seeing. =A0I
> just can't believe I can't find anything documented by Microsoft that
> discusses this. =A0Thanks for the insight.
>
> Steve- Hide quoted text -
>
> - Show quoted text -
Unfortunately, it is not feasible to discuss/document *every* single
design feature/decision of a product. Once again, people have an
automatic expectation that whatever they are looking for is
documented, and Microsoft has to make a cost/benefit tradeoff and
decide what people will most likely want to see documented and the
benefits of such documentation -- because given any software product,
there are infinite number of things to document, just like there are
infinite number of things to test -- and one has to make a tradeoff to
determine what to test and what to document. This subtle detail is not
well understood by most people in the world and is what makes software
a different sort of invention than existing, physical entities like
hardware.
My point is that something like what you are asking about simply would
not make this cost/benefit-adjusted list. Yes, it has real benefit to
you, but to the vast majority of people, this list makes no
difference, and to a subset, this information could be dangerous. And
there is a cost to creating/maintaining this information.
Imagine -- you can hardly find the right information given today's
documentation -- suppose there's a million times more documentation --
is that any more helpful?
Of course, customers (and government entities) tend to argue that
"everything" should be documented because every single detail can be
potentially useful to someone, yet at the same time, they expect to be
protected from the consequences of this disclosure of information.
Very irresponsible, in my opinion. What is important is access to
discover the right information, not necessarily full disclosure all
the time. We struggle with the same things in real-life. No different
in the virtual world.
//David
http://w3-4u.blogspot.com
http://blogs.msdn.com/David.Wang
//