Yes, this is basically a repost, but seeing that I've gotten no responses to an issue that constitutes a serious security threat, I'll go ahead anyway. Background: Most services on NT machines can be set to run as other users than the LocalSystem user. Being able to change IIS to run as another user, with restricted access, would constitute a great security increase, seeing that LocalSystem has access to more or less everything, and trying to restrict its access is not an easy matter. Most security problems we've seen with IIS are such that external users can run code/commands as LocalSystem. My experiences: I've been experimenting with IIS4 (Site Server). The "Log on as" fields in the service control for IIS W3SVC are normally grayed. This is due to the fact that it runs in the same process as the IIS Admin Service. The temporary workaround is to change the registry key \\HKLM\SYSTEM\CurrentControlSet\Services\W3SVC\Type from 0x20 to 0x10. This means it'll run as its own process on its next startup (which, by the way, won't work). When the Type flag for all IIS-related services is set to 0x10, you're able to change the "Log on as user" field. My thought was to change the user setting, change the flag back to 0x20, and I'd have a More Secure(tm) IIS up and running. This is not the case - the IIS Admin service hung on startup. Other technical information: The user running the IIS service needs to have (at least) "Act as part of the operating system" priviliges, and probably "Increase quotas" (sp?) priviliges. Maybe also be allowed to "Create token objects" (sp?) ? I apologise if my privilige names are all wrong, I'm freely translating them from Swedish. :-( Microsoft docs list the two first priviliges as prerequisites for many impersonation system calls. So, has anyone had any (positive?) experiences in running IIS as another user than the LocalSystem user? I'm guessing it's easier to do this with an IIS 3, but since there are so many unpatched holes in it (that I doubt Microsoft will get around to fixing), I don't see running IIS 3 as a viable option any longer. <rant> Please don't tell me to run another web server. I already do. There are however others who don't, and simply won't change. - I can't wait until Russ releases the in-depth info on the RDS exploit, which reportedly compromises ~99% of all IISes by giving you "command line" access _as_LocalSystem_. *drool* </rant> Thanks in advance, /Mikael -- Mikael Olsson, EnterNet Sweden AB, Box 393, S-891 28 �RNSK�LDSVIK Phone: +46-(0)660-105 50 Fax: +46-(0)660-122 50 Mobile: +46-(0)70-248 00 33 WWW: http://www.enternet.se E-mail: [EMAIL PROTECTED] - [To unsubscribe, send mail to [EMAIL PROTECTED] with "unsubscribe firewalls" in the body of the message.]
