|
|
Anonymous authentication allows a user to access web and FTP sites without having to provide a username and password. When a client user accesses a web or FTP site, IIS uses the Internet Guest Account to authenticate that user. The Internet Guest Account is created when IIS is installed, and it is named IUSR_<Computername>, where <Computername> is the name of the host machine. Having an account to use for anonymous access allows you to configure which resources all anonymous users can access on your server. The anonymous account is also added to the Guests group when IIS is installed, so any restrictions or permissions applied to that group also apply to the account.
Note | If your computer is renamed, the Internet Guest Account does not change and continues to use the old machine name. Because user accounts use security identifiers (SIDs) to identify themselves, changing the computer name doesn’t affect the account name. |
When IIS receives a request, it automatically attempts anonymous authentication first. If anonymous authentication fails, it attempts to log on the user using another logon method. If no other authentication methods are enabled, IIS sends a “403 Access Denied” HTTP error message to the client.
Tip | You can use any user account that you wish for anonymous access, including the Administrator account. You can change access settings in the item’s Properties window’s Directory Security tab, accessible by right-clicking the item in the IIS Microsoft Management Console (MMC) snap-in and choosing Properties. (By the way, even though you can do it, don’t use the Administrator account for anonymous access.) |
One huge change in the way anonymous access does business is that the default logon type has been changed from INTERACTIVE to NETWORK_CLEARTEXT. Previously, every user account accessing IIS had to have the Log On Locally right. Now that NETWORK_CLEARTEXT is the standard, anonymous access no longer requires Log On Locally, reducing the vulnerability of IIS having too many rights.
Four main classifications of authentication are used in IIS:
INTERACTIVE
BATCH
NETWORK
SERVICE
NETWORK_CLEARTEXT is a type of NETWORK logon, and it is also used as the default for Basic authentication.
If you’ve used IIS 5, you may notice that IIS 6 doesn’t support automatic password synchronization. Automatic password synchronization allowed IIS to control the password of any account used for anonymous access. Needless to say, this was a security risk, because that dynamic link library (IISSUBA.DLL) could be used to change the password for any account. This feature was turned off by default in IIS 6. You can, however, enable this if you want, but only if the account meets the following criteria.
The worker process configured for the application has to run as LocalSystem instead of Network Service.
IISSUBA.DLL must be registered as a Component Object Model (COM) component (use rundll32).
The metabase property, AnonymousPasswordSynch, needs to be enabled.
None of these configurations are present in a clean (default and unchanged) install of IIS 6. You notice the following if you’re not using a clean install:
If you’re running in IIS 5.0 Isolation mode, the in-process applications will run as LocalSystem.
If you upgrade from Windows 2000 running IIS 5 to Windows Server 2003 (WS03) running IIS 6, and automatic password synchronization is enabled on your IIS 5 web site, the AnonymousPasswordSynch metabase property will be set, but the other two configuration changes will still need to be made.
|
|