Understanding Built-In User and Group Accounts in IIS 7

By lzb

October 19, 2018

Introduction

In earlier versions of IIS, a local account called IUSR_MachineName is created during installation. IIS used the IUSR_MachineName account by default whenever anonymous authentication was enabled. This was used by both the FTP and HTTP services.

There was also a group called IIS_WPG, which was used as a container for all the application pool identities. During IIS setup, all the appropriate resources on the system were granted the correct user rights for the IIS_WPG group so that an administrator only needed to add their identity to that group when they created a new application pool account.

This model worked well, but had its drawbacks: the IUSR_MachineName account and the IIS_WPG group were both local to the system that they were created on. Every account and group within Windows is given a unique number called a security identifier (SID) that distinguishes it from other accounts. When an ACL is created only the SID is used. As part of the design in earlier versions of IIS, IUSR_MachineName was included in the metabase.xml file so that if you tried to copy the metabase.xml from one computer to another, it would not work. The account on the other computer would have a different name.

In addition, you could not 'xcopy /o' ACLs from one computer to another since the SIDs were different from computer to computer. One workaround was to use domain accounts, but that required adding an active directory to the infrastructure. The IIS_WPG group had similar issues with user rights. If you set ACLs on one computer's file system for IIS_WPG and tried to 'xcopy /o' those over to another computer, it would fail. This experience has been improved in IIS 7 and above by using a built-in account and group.

A built-in account and group are guaranteed by the operating system to always have a unique SID. IIS 7 and above have taken this further and ensured that the actual names that are used by the new account and group will never be localized. For example, regardless of the language of Windows that you install, the IIS account name will always be IUSR and the group name will be IIS_IUSRS.

In summary, IIS 7 and above offer the following:

  • The IUSR built-in account replaces the IUSR_MachineName account.

  • The IIS_IUSRS built-in group replaces the IIS_WPG group.

The IUSR account no longer needs a password because it is a built-in account. Logically, you can think of it as being the same as the NETWORKSERVICE or LOCALSERVICE accounts. Both the new IUSR account and the IIS_IUSRS group are discussed in greater depth in the sections below.

Understanding the New IUSR Account

The IUSR account replaces the IUSR_MachineName account in IIS 7 and above. The IUSR_MachineName account will still be created and used if you install the FTP 6 compatible server that is included in Windows Server 2008. If you do not install the FTP server that is included with Windows Server 2008, then this account will not be created.

This built-in account does not need a password and will be the default identity that is used when anonymous authentication is enabled. If you look in the applicationHost.config file you will see the following definition:

<anonymousAuthentication enabled="true" userName="IUSR" defaultLogonDomain="" />
 

This tells IIS to use the new built-in account for all anonymous authentication requests. The biggest advantages are that you can:

  • Set file system permissions for the IUSR account by using Windows Explorer or any of the many command line tools.

  • No longer need to worry about passwords expiring for this account.

  • Use xcopy /o to copy files along with their ownership and ACL information to different computers seamlessly.

Note: The IUSR account is similar to LOCALSERVICE in the manner in which it acts anonymously on the network. The NETWORKSERVICE and LOCALSYSTEM accounts can act as the machine identity, but the IUSR account cannot because it would require an elevation of user rights. If you need the anonymous account to have rights on the network, you must create a new user account and set the user name and password manually, as you did in the past for anonymous authentication.

To grant an anonymous account rights on the network by using IIS Manager:

  1. Click Start, type INetMgr.exe, and then click Enter. If prompted, click Continue to elevate your permissions.

  2. In the Connections section, click the + button next to the name of your computer.

  3. In IIS Manager, double-click the site that you want to administer.

  4. In the Features View, double-click Authentication.

  5. Select Anonymous Authentication, and then click Edit in the Actions pane.

  6. In the Edit Anonymous Authentication Credentials dialog box, click the Specific user option, and then click Set.

  7. In the Set Credentials dialog box, input the user name and password desired, and then click OK.

Understanding the New IIS_IUSRS Group

The IIS_IUSRS group replaces the IIS_WPG group. This built-in group has access to all the necessary file and system resources so that an account, when added to this group, can seamlessly act as an application pool identity.

As with the built-in account, this built-in group solves several xcopy deployment obstacles. If you set permissions on your files for the IIS_WPG group (that was available on IIS 6.0 systems) and tried to copy those files to another Windows computer, the group's SID would be different across the computers and your site's configurations would be broken.

Since the group SID in IIS 7 and above is the same on all systems that are running Windows Server 2008, you can use 'xcopy /o' to preserve the ACL's and ownership information as you move files from computer to computer. This makes xcopy deployments easy.

IIS 7 and above also makes the process of configuring an application pool identity and making all necessary changes easier. When IIS starts a worker process, it needs to create a token that the process will use. When this token is created, IIS automatically adds the IIS_IUSRS membership to the worker processes token at runtime. The accounts that run as 'application pool identities' no longer need to be an explicit part of the IIS_IUSRS group. This change helps you to set up your systems with fewer obstacles and makes your overall experience more favorable.

If you want to disable this feature and manually add accounts to the IIS_IUSRS group, disable this new feature by setting the manualGroupMembership value to 'true'. The following example shows how this can be done to the defaultAppPool:

<applicationPools>

    <add name="DefaultAppPool">

        <processModel manualGroupMembership="true" />

    </add></applicationPools >
 

Copy From:lzb

Understanding Built-In User and Group Accounts in IIS 7的更多相关文章

  1. [Asp.Net]Understanding Built-In User and Group Accounts in IIS

    昨天把程序IIS6迁移到IIS7,出现异常 解决办法:文件夹选项权限增加IIS_IUSER 资料来源: http://www.iis.net/learn/get-started/planning-fo ...

  2. mysql 5.7.17发布

    Mysql 5.7.17发布了,主要修复: Changes in MySQL 5.7.17 (2016-12-12, General Availability) Compilation Notes M ...

  3. Fedora 22中的用户和用户组管理

    The control of users and groups is a core element of Fedora system administration. This chapter expl ...

  4. Achieving High Availability and Scalability - ARR and NLB

    Achieving High Availability and Scalability: Microsoft Application Request Routing (ARR) for IIS 7.0 ...

  5. 一键安装GitLab7

    1. Install and configure the necessary dependencies If you install Postfix to send email please sele ...

  6. windows msiexec quiet静默安装及卸载msi软件包

    aaarticlea/png;base64,iVBORw0KGgoAAAANSUhEUgAAAoUAAAA4CAIAAAAEgBUBAAAIj0lEQVR4nO2dQXLcOAxFdbXJ0aZys6

  7. Windows Access Token

    security descriptor A structure and associated data that contains the security information for a sec ...

  8. ASP.NET IIS Registration Tool (Aspnet_regiis.exe)

    IIS Version Special cases for 32-bit versions of Aspnet_regiis.exe 6.0 You can run the 32-bit versio ...

  9. Archlinux系统配置学习笔记(一)

    本文档是有关Archlinux系统配置的学习笔记,参考和学习的是Archlinux官方网站上的相应文档:General Recommendations. 这里的配置主要是针对按照官方网站上的文档刚刚完 ...

随机推荐

  1. SQL Server 常用函数使用方法

    之前就想要把一些 SQL 的常用函数记录下来, 直到今天用到substring()这个函数,C# 里面这个方法起始值是 0,而 SQL 里面起始值是 1.傻傻分不清楚... 这篇博客作为记录 SQL ...

  2. 关于k8s安装脚本方面的草稿

    周六作的, 慢慢完善. #! /usr/bin/env bash set -e set -u set -x #让此脚本可以重复执行,所以加了一些判断 #使用系统的PATH环境 export PATH= ...

  3. Exception in thread "main" java.lang.UnsatisfiedLinkError: org.apache.hadoop.io.nativeio.NativeIO$Windows.access0(Ljava/lang/String;I)Z

    1.window操作系统的eclipse运行wordcount程序出现如下所示的错误: Exception in thread "main" java.lang.Unsatisfi ...

  4. 内存栈与堆的区别C#

    C# 堆与栈 理解堆与栈对于理解.NET中的内存管理.垃圾回收.错误和异常.调试与日志有很大的帮助.垃圾回收的机制使程序员从复杂的内存管理中解脱出来,虽然绝大多数的C#程序并不需要程序员手动管理内存, ...

  5. 【Maven】Select Dependency 无法检索

    问题: 在 “pom.xml” 中,点击  “Dependencies” -> “Add” 添加依赖时,无法检索. 如下图所示: 解决办法:   依次点击 “Windows”->“Show ...

  6. 【译】写好JavaScript条件语句的5个技巧

    译文 当我们写JavaScript代码时,经常会用到到条件判断处理,这里有5个技巧能使你写出更好.更简洁的条件语句. 1.使用Array.includes处理多种条件 让我们来看一下的例子: // c ...

  7. python全栈开发day58-mysql存储过程,权限,索引,慢日志,执行计划,分页优化处理

    1.存储过程 delimiter // create procedure insert_data(in rows int) begin DECLARE n INT DEFAULT 1; drop ta ...

  8. libsecp256k1 与 openssl ecdsa

    1. 历史 区块链节点在接收到的用户发送的交易时,首先会验证交易所涉及utxo的可用性.方法是验证用户签名的合法性,涉及的签名算法就是secp256k1,一种椭圆曲线加密算法. 长期以来,实现了该算法 ...

  9. ansible基础命令实例

    参考:https://www.cnblogs.com/ilurker/p/6421624.html 1. 使用自定义的hosts 格式: ansible  组机匹配  -i  自定义的hosts  - ...

  10. python面试题之Python是如何进行内存管理的

    python内部使用引用计数,来保持追踪内存中的对象,Python内部记录了对象有多少个引用,即引用计数,当对象被创建时就创建了一个引用计数,当对象不再需要时,这个对象的引用计数为0时,它被垃圾回收. ...