Understanding IUSR_<machine> account

Posted by liho1eye on Server Fault See other posts from Server Fault or by liho1eye
Published on 2011-01-28T20:54:02Z Indexed on 2011/01/28 23:28 UTC
Read the original article Hit count: 181

Filed under:
|
|

Namely how is setting read/write permission for this account different from giving read/write access in the IIS (Windows 2003, so it should be IIS6 if I am not mistaken).

Here is the issue: It looks like we had a security sweep and as a part of that IUSR account lost write access everywhere. A whole bunch of legacy ASP sites didn't like that at all...

My very surfacish understanding is that it is enough to deny write access in the IIS console to protect a website from someone just dropping random files into it, and IUSR access only has effect on the application scripts running server side, and thus can be safely given write access back.

edit:

The applications in question obviously require write access to their own web folders, otherwise this wouldn't be an issue at all. Question is how to configure IIS/application to both satisfy security and make them work. My first instinct was to change account which is used to run the app pool. However that is already set to NETWORK_SERVICE, and that guy already has full access to folders in question.

© Server Fault or respective owner

Related posts about security

Related posts about iis