IUSR & IWAM Accounts

[skialta]

My company is very security conscious and we are trying to determine if the passwords should be changed for the IUSR & IWAM accounts on all of our IIS boxes. Can you please give your 2 cents and if possible provide links to sites that can support the best practice. Thanks!

 

[Niksen]

I wouldn't worry too much, those are low privilege accounts made for this purpose.

a few words about it here

http://support.microsoft.com/default.aspx/kb/236855

brgds Nicolai

 

[skialta]

Thanks Niksen, what about the IUSR account? That is a different account for running the IIS service itself unless I'm mistaken.

 

[Niksen]

actually, as anonymous access to the server is not allowed, the IUSR_computername account was made to impersonate the anonymous user (which a public webserver by nature get loads of)
webservice runs on "system" account which is a secure account which can't be used for anything than run stuff locally. noone can connect with system from outside.
You can actually remove ntfs permissions on the homefolders and still run the webserver. You will then get these red marks in IIS manager because it cannot read in the folders, but it will still serve pages as the IUSR can read the files.

overall i would say, if youre running win2k remember to lock IIS down with iislockdown tool, in win2k3 IIS is locked down from out of the box.then control the rest with ntfs settings.

brgds Nicolai

 

[skialta]

Thanks again, for the clarification...do you know of any links, preferably Microsoft's site?

 

[Niksen]

i think you can fill some hours with this link

http://www.microsoft.com/technet/security/prodtech/iis.mspx

brgds Nicolai