The IUSR_ account is used by IIS for anonymous requests to the filesystem (unless you've configured it otherwise) -- anonymous, in this case, meaning a Windows domain or local machine account, *not* an account inside of a web application.
Say, for example, that you're running a PHP-based product that performs its own authentication to a database of some flavor. This code will, under a default IIS configuration, all run under the IUSR_ account's privileges. Now you add the IUSR_ account to the local Administrator's group. Any writes to the filesystem that the PHP application does will be done as that user, with local machine admin privileges -- so any bugs in the app may allow attackers to put arbitrary content to the hard drive as an admin user. You've got rootkit! ASP.NET runs under the context of a separate, non-privileged account precisely for this reason. Requiring IUSR_ to be a local admin is a serious sign of lack of clue on the part of these vendors. They need to explain to you exactly why the entire portal must run with local administrative privileges. You should also ask them for a written guarantee that there are no bugs in their code (or dependent code, including IIS and Windows) that attackers might be able to use to leverage this access into a free walk onto your machine. -- Devin L. Ganger Email: [EMAIL PROTECTED] 3Sharp LLC Phone: 425.882.1032 15311 NE 90th Street Cell: 425.239.2575 Redmond, WA 98052 Fax: 425.702.8455 (e)Mail Insecurity: http://blogs.3sharp.com/blog/deving/ -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Friday, October 27, 2006 7:54 AM To: [email protected] Subject: IIS Security We've a vertical package that includes a web based portal. (quite common for many Enterprise packages) The problem lies in some of the requirements that the company puts on running this portal. The major one is that of adding the IUSR_machinename account to the local admin group. I know this is horrible, but need specific reasons why this shouldn't be done so that I can bring it to my boss and get it fixed. Thanks ------------------------------------------------------------------------ --- ------------------------------------------------------------------------ --- --------------------------------------------------------------------------- ---------------------------------------------------------------------------
