The IUSR_ account is used by IIS for anonymous requests to the
filesystem (unless you've configured it otherwise) -- anonymous, in this
case, meaning a Windows domain or local machine account, *not* an
account inside of a web application.

Say, for example, that you're running a PHP-based product that performs
its own authentication to a database of some flavor. This code will,
under a default IIS configuration, all run under the IUSR_ account's
privileges. Now you add the IUSR_ account to the local Administrator's
group. Any writes to the filesystem that the PHP application does will
be done as that user, with local machine admin privileges -- so any bugs
in the app may allow attackers to put arbitrary content to the hard
drive as an admin user. You've got rootkit!

ASP.NET runs under the context of a separate, non-privileged account
precisely for this reason.

Requiring IUSR_ to be a local admin is a serious sign of lack of clue on
the part of these vendors. They need to explain to you exactly why the
entire portal must run with local administrative privileges. You should
also ask them for a written guarantee that there are no bugs in their
code (or dependent code, including IIS and Windows) that attackers might
be able to use to leverage this access into a free walk onto your
machine.

--
Devin L. Ganger                    Email: [EMAIL PROTECTED]
3Sharp LLC                         Phone: 425.882.1032
15311 NE 90th Street                Cell: 425.239.2575
Redmond, WA  98052                   Fax: 425.702.8455
(e)Mail Insecurity: http://blogs.3sharp.com/blog/deving/

-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On Behalf Of [EMAIL PROTECTED]
Sent: Friday, October 27, 2006 7:54 AM
To: [email protected]
Subject: IIS Security

We've a vertical package that includes a web based portal.  (quite
common for many Enterprise packages)

The problem lies in some of the requirements that the company puts on
running this portal.

The major one is that of adding the IUSR_machinename account to the
local admin group.
I know this is horrible, but need specific reasons why this shouldn't be
done so that I can bring it to my boss and get it fixed.

Thanks

------------------------------------------------------------------------
---
------------------------------------------------------------------------
---


---------------------------------------------------------------------------
---------------------------------------------------------------------------

Reply via email to