I followed the instructions from the Imail Release notes very carefully. I cound't find the settings how to run the administration without having the login dialog box. The problem might be, that we really separated Programs and Data as fare as possible.
One thing I noticed is that there is a requirement that the user be granted rights to "Act as part of the operating system". In my case, I created a separate anonymous user, and the installation program did not automatically modify my local security policy. I haven't done this yet - I don't know if this is for purposes of service control, or if it will eliminate the login prompt also. Presumably this is still much better than granting the anonymous user full administration privileges.
I'm not really into hacking, but what are the consequences if IIS anonymous needs write access? What can a hacker do with this?
As you note, it would need to be combined with a security hole to be dangerous. Although there have not been any IIS exploits in the last several years, we cannot say there would not be any in the future. There is a lot of surface area - the entire web client application and .NET, as well as IIS. Standard layered security might prevent a full server root breakin if they can gain only privileges granted to an anonymous web application user.
To Unsubscribe: http://www.ipswitch.com/support/mailing-lists.html List Archive: http://www.mail-archive.com/imail_forum%40list.ipswitch.com/ Knowledge Base/FAQ: http://www.ipswitch.com/support/IMail/
