In the vein of least privileges, a very useful tool for tracking and fixing LUA (Least User Access) issues is "LUA Buglight", available from this page: http://blogs.msdn.com/aaron_margosis/archive/2006/08/07/LuaBuglight.aspx or directly from: http://blogs.msdn.com/aaron_margosis/attachment/691411.ashx
I've found this to be more helpful in this context than the SysInternals tools, though they are wonderful as well. Seren -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of k levinson Sent: Friday, October 27, 2006 5:38 PM To: [email protected] Subject: Re: IIS Security The specific reason is "least privilege," which is an industry standard best practice. Unless the application needs to create or manage accounts, it does not need to be a local Administrator. Everything else the application needs to be able to do are permissions that can be granted to a regular non-Administrator user. The main reason for granting Administrator privileges to accounts that don't need to administer other accounts is because the person is too lazy or too ill-informed to determine the permissions that are really needed. If someone compromises your application somehow, do you really want them to automatically be able to use the permissions gained to create accounts and otherwise have total control over everything on the compromised system? People typically use the Filemon, Regmon and sometimes Process Explorer utilities free from www.sysinternals.com while running the application without admin privileges to determine what files, registry values and other privileges are lacking. Or, Microsoft also makes the free Application Compatibility Toolkit for the same purpose, for Windows XP and newer. The last link below has a long list of reasons of advantages of least privilege: www.microsoft.com/downloads/details.aspx?FamilyId=4005DA79-933A-4CC8-BF8 6-FE2E28B792FD&displaylang=en www.microsoft.com/technet/technetmag/issues/2006/08/LUABugs/ www.microsoft.com/technet/prodtechnol/winxppro/maintain/luawinxp.mspx regards, Karl Levinson, CISSP, MCSE ==================================== From: [EMAIL PROTECTED] To: [email protected] Subject: IIS Security We've a vertical package that includes a web based portal. (quite common for many Enterprise packages) The problem lies in some of the requirements that the company puts on running this portal. The major one is that of adding the IUSR_machinename account to the local admin group. I know this is horrible, but need specific reasons why this shouldn't be done so that I can bring it to my boss and get it fixed. ________________________________________________________________________ __________________ Check out the New Yahoo! Mail - Fire up a more powerful email and get things done faster. (http://advision.webevents.yahoo.com/mailbeta) ------------------------------------------------------------------------ --- ------------------------------------------------------------------------ --- --------------------------------------------------------------------------- ---------------------------------------------------------------------------
