OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Re: IIS anonymous user - who?
From: Maxime Rousseau (mrousseauLABCAL.COM)
Date: Wed Jul 19 2000 - 09:04:15 CDT

If you remove the IUSR account from the web pages' ACLs (or the whole
system) it dosent really matter if Everyone still has access. Everyone
includes null pipes or anonymous connections, that is why you see the
behaviour you are describing. If by 'Everyone' you want only 'all the nt
users' you might want to change it to 'Authenticated Users' or
something. To have really fine control over who sees what, you might
want to only work with IUSR and remove the 'Everyone' all around. But
thats just me.

M.

! -----Original Message-----
! From: VULN-DEV List [mailto:VULN-DEVSECURITYFOCUS.COM]On Behalf Of
! Chris Erasmus
! Sent: Monday, July 17, 2000 2:34 PM
! To: VULN-DEVSECURITYFOCUS.COM
! Subject: IIS anonymous user - who?
!
!
! Recently we noticed something interessting about MS IIS 4.0,
! here is the
! scenario:
!
! Windows NT 4.0, SP 4.
! Default installation NT Option Pack.
!
! One way of not allowing anonymous access to a website is via
! the Internet
! Service Manager, but we were toying with another idea. What
! will happen if
! you delete the IUSR_Computername account completely? Surely anonymous
! access to the default website will be disallowed. No. To our
! surprise it
! wasn't. The account used for anonymous access was confirmed to be the
! IUSR_Compname. The service is running as System. Anonymous
! access was only
! denied after removing the Everyone group from the default.asp page's
! permission list. Administrator and System still had access
! to the page.
!
! Does anyone know why this happens or where we are making a
! mistake. Who's
! accessing the page?
!
! Thanks
! Chris Erasmus
!
! www.sensepost.com
!