Anonymous Logon

Silver Bullet · May 2006

_omni_ wrote:

Silver Bullet wrote:

w^rl0rd wrote:

If I have a folder w/ it's ACL allowing Anonymous Logon and someone plugged into my network having already locally authenticated locally, they could just type in the UNC path to this folder and access it w/o being prompted for domain credentials. Right?

No....I just tested on my lab. Shared a folder on my Server and attempted to access it from another computer and was denied.

Folder was shared as only having the Anonymous Logon Group with Full Control Share Permissions.

Perhaps a policy disables anonymous network access?

No policy is restricting Anonymous Access.

Wow w^rlord......you are getting some in depth investigation here.

eurotrash · May 2006

Ok all ye doubters...well my experiment had some complications so i'm still working on it, but here's a question for you:

1. Does the IUSR account need to authenticate with the system in order to be used?

if yes,
2a. Is it then a member of the Authenticated Users group?

if no,
2b. How then can it be used, how can it have permissions applied to it, etc?

Silver Bullet · May 2006

_omni_ wrote:

Ok all ye doubters...well my experiment had some complications so i'm still working on it, but here's a question for you:

1. Does the IUSR account need to authenticate with the system in order to be used?

if yes,
2a. Is it then a member of the Authenticated Users group?

if no,
2b. How then can it be used, how can it have permissions applied to it, etc?

Here is another link for ya..... http://www.microsoft.com/technet/archive/proxy/integrat.mspx?mfr=true

The topic is labeled Using the Anonymous Account:
When IIS is first installed, a user account, called IUSR_computername, is created on the domain or in the local NT user database if the NT Server is a stand-alone server. Here, computername refers to the name of the NT Server. For example, the account created on our office network's primary domain controller was IUSR_KLSENT. This account was created when we initially installed IIS on the machine. In our network, this user account controls the level of access given to anonymous logons for all Microsoft Internet server applications.

Note: The anonymous account in your environment will be different and will correspond to the computername for each server providing Web services on your network.

Remember that the WWW server and the Web Proxy Server present authentication requests to the NT security layer as they would any normal user logon. If you have a password assigned to the anonymous account, be sure to indicate that password in the Anonymous Account field, or the WWW server and the Web Proxy Server will be unable to gain anonymous authentication when necessary. Normally, the anonymous account can have no password assigned to it because it doesn't have rights to normal network resources.

By default, the presence of this account grants anonymous users access to the WWW service without needing any further configuration. However, this is not true with the Web Proxy and WinSock Proxy services. In order to grant anonymous access to the protocols supported by the Web Proxy or the WinSock Proxy, protocol permissions must be granted to the IUSR_computername account, just as permissions for any other network users are granted. This is covered in more detail later in this chapter.

sprkymrk · May 2006

_omni_ wrote:

Ok all ye doubters...well my experiment had some complications so i'm still working on it, but here's a question for you:

1. Does the IUSR account need to authenticate with the system in order to be used?

if yes,
2a. Is it then a member of the Authenticated Users group?

if no,
2b. How then can it be used, how can it have permissions applied to it, etc?

Not sure of the MS answer, but off the top of my head (maybe that's why it hurts, why do I have stuff on top of it?):

When I visit your web site, did I log in? No.
Did I enter a password? No.
Do you know who I am? No.
Am I anonymous? Yes.

The IIS service just uses the IUSR account for anonymous log ins. If you want someone to be authenticated, then by definition they must be able to prove they are who they say they are (that's from Sec+ by the way

). I never said who I was. I just typed in your website and you said "let him in".

eurotrash · May 2006

Ha ok no one is falling for my trick question.

When I visit your web site, did I log in? No.
Did I enter a password? No.
Do you know who I am? No.
Am I anonymous? Yes.

The IIS service just uses the IUSR account for anonymous log ins. If you want someone to be authenticated, then by definition they must be able to prove they are who they say they are (that's from Sec+ by the way icon_smile.gif ). I never said who I was. I just typed in your website and you said "let him in".

Yes but while you are at my website, you are IUSR. In order for you to be able to use the IUSR account, it must be authenticated. If it is authenticated, it is a member of the Authenticated Users group. And anything that is a member of Authenticated Users CANNOT be a member of Anonymous Logons.

So my point is, that while they may be anonymous to you, you don't know who they are and all that nice abstract stuff, they have essentially logged in with the IUSR account and so while you and the system don't know who the person is, you DO know who they logged on as, and that is the IUSR account.
Again, the fact that they log on as IUSR means that the account must authenticate. The fact that the IUSR account must authenticate means that it is a member of the Authenticated Users group, and thus by definition cannot be a member of the Anonymous Logon group.

Now i will hit the sack and see if the light has dawned by tomorrow.

Open your mind...quit reading that MS stuff, it's confusing you... :P

Silver Bullet · May 2006

I see your point but......
Is the IUSR account being Authenticated? YES, it is being authenticated for an Anonymous User which makes it a member of the Anonymous LOGON Group.

sprkymrk · May 2006

_omni_ wrote:

Ha ok no one is falling for my trick question.

When I visit your web site, did I log in? No.
Did I enter a password? No.
Do you know who I am? No.
Am I anonymous? Yes.

The IIS service just uses the IUSR account for anonymous log ins. If you want someone to be authenticated, then by definition they must be able to prove they are who they say they are (that's from Sec+ by the way icon_smile.gif ). I never said who I was. I just typed in your website and you said "let him in".

Yes but while you are at my website, you are IUSR. In order for you to be able to use the IUSR account, it must be authenticated. If it is authenticated, it is a member of the Authenticated Users group. And anything that is a member of Authenticated Users CANNOT be a member of Anonymous Logons.

So my point is, that while they may be anonymous to you, you don't know who they are and all that nice abstract stuff, they have essentially logged in with the IUSR account and so while you and the system don't know who the person is, you DO know who they logged on as, and that is the IUSR account.
Again, the fact that they log on as IUSR means that the account must authenticate. The fact that the IUSR account must authenticate means that it is a member of the Authenticated Users group, and thus by definition cannot be a member of the Anonymous Logon group.

Now i will hit the sack and see if the light has dawned by tomorrow.

Open your mind...quit reading that MS stuff, it's confusing you... :P

I will agree with you on your last point only.

The rest of your explanation sounds like grasping for straws.

Come - join the dark side. Darth Gates is strong with the power of Windows! Bwahahahah!

eurotrash · May 2006

NEVER! I shall fight to the death!

READ:

Microsoft wrote:

Q: It is my understanding that the IUSR_<servername> account is a member of the Guests group by default. Consequently, how do I secure the IUSR_account, by applying NTFS permissions for Guests group?

A: Securing the IUSR account is essential, so it is important to understand how the IUSR account is used and to what groups the IUSR account belongs. To help in this, you can use the W3Who.dll program provided in the Windows 2000 Resource Kit. This little jewel will report the username, rights, and the group membership of the user that calls it. To implement this utility, simply call it from a web browser. For example, create a folder in a web site, check that is has anonymous access enabled and that NTFS permissions allow the IUSR account the NTFS execute permission. In addition, mark the folder for Scripts and Executables in the IIS snap-in. Then browse the file in Internet Explorer (http://servername/foldername/w3who.dll).

The resulting page will reveal a wealth of information about the IUSR account, as follows:

Access Token

• 'IISANSWERS\IUSR_IISANSWERS' S-1-5-21-790525478-1993962763-xxxxxxxxxxxxxxx
• 'IISANSWERS\None' S-1-5-21-790525478-1993962763-xxxxxxxxxxxxxx
• '\Everyone' S-1-1-0
• 'BUILTIN\Guests' S-1-5-32-546
• 'BUILTIN\Users' S-1-5-32-545
• '\LOCAL' S-1-2-0
• 'NT AUTHORITY\NETWORK' S-1-5-2
• 'NT AUTHORITY\Authenticated Users' S-1-5-11
• SeUndockPrivilege - Remove computer from docking station

Here, you can clearly see that the IUSR account is a member of Guests, Users, Authenticated Users, the Network Group, and Everyone. Consequently, anonymous users may have access to any resource these groups are permitted to access.

As you may or may not see, while it refers to them as anonymous users (lowercase), they are NOT a member of the Anonymous Logon group.

As you can very well see from the above, the IUSR account IS a member of the Authenticated Users group.

NOW READ THIS:

MS wrote:

The Authenticated Users group is similar to the "Everyone" group, except for one important difference: anonymous logon users (or NULL session connections) are never members of the Authenticated Users group.

GOT IT?? From the first quote, we see that IUSR is a member of the Authenticated Users group, and in the second quote we see that Anonymous Logon users are NEVER members of the Authenticated Users group.
It can only be one or the other, Authenticated or Anonymous.
And as we can see, it IS a member of the Authenticated Users group (and did you notice that of the groups listed, Anonymous Logon isn't there?) and therefore CANNOT POSSIBLE be a member of the Anonymous Logon group!

READ: link

IUSR_[servername] is a validated login that is used in order to allow
internet users connecting via IIS access to webpages you have decided should
be open to the public.

Its not the same as an anonymous connection at all.

sprkymrk · May 2006

_omni_ wrote:

NEVER! I shall fight to the death!

READ:

Microsoft wrote:

Q: It is my understanding that the IUSR_<servername> account is a member of the Guests group by default. Consequently, how do I secure the IUSR_account, by applying NTFS permissions for Guests group?

A: Securing the IUSR account is essential, so it is important to understand how the IUSR account is used and to what groups the IUSR account belongs. To help in this, you can use the W3Who.dll program provided in the Windows 2000 Resource Kit. This little jewel will report the username, rights, and the group membership of the user that calls it. To implement this utility, simply call it from a web browser. For example, create a folder in a web site, check that is has anonymous access enabled and that NTFS permissions allow the IUSR account the NTFS execute permission. In addition, mark the folder for Scripts and Executables in the IIS snap-in. Then browse the file in Internet Explorer (http://servername/foldername/w3who.dll).

The resulting page will reveal a wealth of information about the IUSR account, as follows:

Access Token

• 'IISANSWERS\IUSR_IISANSWERS' S-1-5-21-790525478-1993962763-xxxxxxxxxxxxxxx
• 'IISANSWERS\None' S-1-5-21-790525478-1993962763-xxxxxxxxxxxxxx
• '\Everyone' S-1-1-0
• 'BUILTIN\Guests' S-1-5-32-546
• 'BUILTIN\Users' S-1-5-32-545
• '\LOCAL' S-1-2-0
• 'NT AUTHORITY\NETWORK' S-1-5-2
• 'NT AUTHORITY\Authenticated Users' S-1-5-11
• SeUndockPrivilege - Remove computer from docking station

Here, you can clearly see that the IUSR account is a member of Guests, Users, Authenticated Users, the Network Group, and Everyone. Consequently, anonymous users may have access to any resource these groups are permitted to access.

As you may or may not see, while it refers to them as anonymous users (lowercase), they are NOT a member of the Anonymous Logon group.

As you can very well see from the above, the IUSR account IS a member of the Authenticated Users group.

NOW READ THIS:

MS wrote:

The Authenticated Users group is similar to the "Everyone" group, except for one important difference: anonymous logon users (or NULL session connections) are never members of the Authenticated Users group.

GOT IT?? From the first quote, we see that IUSR is a member of the Authenticated Users group, and in the second quote we see that Anonymous Logon users are NEVER members of the Authenticated Users group.
It can only be one or the other, Authenticated or Anonymous.
And as we can see, it IS a member of the Authenticated Users group (and did you notice that of the groups listed, Anonymous Logon isn't there?) and therefore CANNOT POSSIBLE be a member of the Anonymous Logon group!

READ: link

IUSR_[servername] is a validated login that is used in order to allow
internet users connecting via IIS access to webpages you have decided should
be open to the public.

Its not the same as an anonymous connection at all.

Hi _omni_:
what are you, some kind of research freak?

Can you provide the source for your first MS quote? I am curious whether that is a "Default" setup or rather an example that had been changed from defaults in order to demonstrate the w3who.dll utility.

Also, I wouldn't necessarily call the second quote (with the link you provided) as authoritative.

I'm not saying you're wrong, but I am also not entirely convinced you're right yet based on all the other information I have seen so far. It's been a great and educational thread so far, eh?

At any rate, I realize we have strayed from the original question posted by w^orld. I think we bored him to death, since he seems to have left this thread for greener pastures!

Have a good one, everyone!

eurotrash · May 2006

1. http://www.microsoft.com/technet/community/columns/insider/iisi1201.mspx
2. http://support.microsoft.com/?kbid=143474
3. True, it isn't "authoritative". However I am simply finding quotes/articles to back me up. Like this.

ALSO:

The IUSR account is a member of the Everyone & Authenticated Users groups. The IUSR account has the Access this computer from the network and Log on locally User Rights. So, specifically deny access for the IUSR account on everything, then grant the IUSR account access only where needed.
http://searchwindowssecurity.techtarget.com/tip/1,289483,sid45_gci997908,00.html

Authenticated Users includes the IUSR anonymous Web user account but omits null connections and users who are members of the Guests group only.
http://www.windowsitpro.com/Web/Article/ArticleID/25934/25934.html

Also take a look at your IUSR account, see what it is a member of. By default it will be a member of Guests and Domain Users.
IF it is a member of Domain Users, it MUST be authenticated. IF it is authenticated, it is automatically a member of the Authenticated Users group. And no member of the Authenticated Users group can possibly be a member of Anonymous Logon.

eurotrash · May 2006

Ok I got some help from another board (I'm insistent, aren't I!). Here's a link (tx d-Factor) from Microsoft Technet Mag, read it and weep!

Just like any user, the IUSR account has some group memberships. Giving permissions to any of these groups gives the IUSR account access to the content. The default memberships are: Everyone, Users, Guests, Authenticated Users, Network, Domain Users (if IIS is on a domain controller), and Web Anonymous Users (if the IIS portion of the Security Configuration Wizard has been run).
http://www.microsoft.com/technet/technetmag/issues/2006/05/ServingTheWeb/default.aspx

Microsoft themselves say that IUSR is by default a member of Authenticated Users (and you can see for yourselves if you have that w3who.dll).

With that in mind, I will quote this for the Nth time:

The Authenticated Users group is similar to the "Everyone" group, except for one important difference: anonymous logon users (or NULL session connections) are never members of the Authenticated Users group.
http://support.microsoft.com/?kbid=143474

As it plainly says, Anonymous Logon users are NEVER members of the Authenticated Users.
Since, as the first quote shows, IUSR is by default a member of the Authenticated Users, it can NEVER be a member of Anonymous Logon group.

I await the humblest and most sincere apologies, as well as recognition as the one true saviour (of the thread, anyhow

).

Silver Bullet · May 2006

http://technet2.microsoft.com/WindowsServer/f/?en/Library/2a0bd29a-e08c-43c4-9811-9aada3160b9f1033.mspx

I think this is a situation where you are not seeing the forest for the trees.

_omni_ wrote:

I await the humblest and most sincere apologies, as well as recognition as the one true saviour (of the thread, anyhow icon_biggrin.gif

Never

Muah hahahahha

eurotrash · May 2006

I can't believe that you don't get it!

Anonymous access isn't the same as Anonymous Logon.
Yes, you are allowing anonymous access IN THE SENSE that they can "log on" without entering usename and pass.
BUT the big difference is that you already have an account configured for them to use. That account will be authenticated, which will...read my above posts.

Also, notice that in your link the only time is says Anonymous Logon is:

1. In lowercase (therefore not referring to the group, which would be capitalised)
2. In quotation marks. That in no way implies the group.

It's as simple as this:

Can an account that is a member of Domain Users also be a member of Anonymous Logon?

NO!

Now go check your IUSR account, see who it is a member of.

DONE!

yay...

sprkymrk · May 2006

Okay, okay okay _omni_... I guess technically you're ri... righ.... right. There, I said it. :P

What I seem to gather from all this is that the IUSR is anonymous in the sense that we don't know who he is. However, the vast wisdom of MS has determined that this particular user, while anonymous, is NOT a member of the group "Anonymous Logon". Go figure.

: IUSR=Anonymous, just not Anonymous Logon.

What was the original question?

I don't know about you Silver Bullet, but I'm gonna have to give this round to _omni_. He out-googled me.

eurotrash · May 2006

w^rl0rd · May 2006

Thanks everyone. When someone can figure out how to access an NTFS folder (not a web page

) with an "Anonymous Logon," I'd love to hear it. Thanks.

Silver Bullet · May 2006

w^rl0rd wrote:

Thanks everyone. When someone can figure out how to access an NTFS folder (not a web page ) with an "Anonymous Logon," I'd love to hear it. Thanks.

Here....try this w^rlord. I haven't tested myself but it looks like a good starting point.
http://technet2.microsoft.com/WindowsServer/en/Library/7c2373bd-b2c2-4392-ad26-ffdd89ef8c741033.mspx?mfr=true

Anonymous Logon

Comments