Understanding Built-In User and Group Accounts in IIS 7

By lzb

October 19, 2018

Introduction

In earlier versions of IIS, a local account called IUSR_MachineName is created during installation. IIS used the IUSR_MachineName account by default whenever anonymous authentication was enabled. This was used by both the FTP and HTTP services.

There was also a group called IIS_WPG, which was used as a container for all the application pool identities. During IIS setup, all the appropriate resources on the system were granted the correct user rights for the IIS_WPG group so that an administrator only needed to add their identity to that group when they created a new application pool account.

This model worked well, but had its drawbacks: the IUSR_MachineName account and the IIS_WPG group were both local to the system that they were created on. Every account and group within Windows is given a unique number called a security identifier (SID) that distinguishes it from other accounts. When an ACL is created only the SID is used. As part of the design in earlier versions of IIS, IUSR_MachineName was included in the metabase.xml file so that if you tried to copy the metabase.xml from one computer to another, it would not work. The account on the other computer would have a different name.

In addition, you could not 'xcopy /o' ACLs from one computer to another since the SIDs were different from computer to computer. One workaround was to use domain accounts, but that required adding an active directory to the infrastructure. The IIS_WPG group had similar issues with user rights. If you set ACLs on one computer's file system for IIS_WPG and tried to 'xcopy /o' those over to another computer, it would fail. This experience has been improved in IIS 7 and above by using a built-in account and group.

A built-in account and group are guaranteed by the operating system to always have a unique SID. IIS 7 and above have taken this further and ensured that the actual names that are used by the new account and group will never be localized. For example, regardless of the language of Windows that you install, the IIS account name will always be IUSR and the group name will be IIS_IUSRS.

In summary, IIS 7 and above offer the following:

  • The IUSR built-in account replaces the IUSR_MachineName account.

  • The IIS_IUSRS built-in group replaces the IIS_WPG group.

The IUSR account no longer needs a password because it is a built-in account. Logically, you can think of it as being the same as the NETWORKSERVICE or LOCALSERVICE accounts. Both the new IUSR account and the IIS_IUSRS group are discussed in greater depth in the sections below.

Understanding the New IUSR Account

The IUSR account replaces the IUSR_MachineName account in IIS 7 and above. The IUSR_MachineName account will still be created and used if you install the FTP 6 compatible server that is included in Windows Server 2008. If you do not install the FTP server that is included with Windows Server 2008, then this account will not be created.

This built-in account does not need a password and will be the default identity that is used when anonymous authentication is enabled. If you look in the applicationHost.config file you will see the following definition:

<anonymousAuthentication enabled="true" userName="IUSR" defaultLogonDomain="" />
 

This tells IIS to use the new built-in account for all anonymous authentication requests. The biggest advantages are that you can:

  • Set file system permissions for the IUSR account by using Windows Explorer or any of the many command line tools.

  • No longer need to worry about passwords expiring for this account.

  • Use xcopy /o to copy files along with their ownership and ACL information to different computers seamlessly.

Note: The IUSR account is similar to LOCALSERVICE in the manner in which it acts anonymously on the network. The NETWORKSERVICE and LOCALSYSTEM accounts can act as the machine identity, but the IUSR account cannot because it would require an elevation of user rights. If you need the anonymous account to have rights on the network, you must create a new user account and set the user name and password manually, as you did in the past for anonymous authentication.

To grant an anonymous account rights on the network by using IIS Manager:

  1. Click Start, type INetMgr.exe, and then click Enter. If prompted, click Continue to elevate your permissions.

  2. In the Connections section, click the + button next to the name of your computer.

  3. In IIS Manager, double-click the site that you want to administer.

  4. In the Features View, double-click Authentication.

  5. Select Anonymous Authentication, and then click Edit in the Actions pane.

  6. In the Edit Anonymous Authentication Credentials dialog box, click the Specific user option, and then click Set.

  7. In the Set Credentials dialog box, input the user name and password desired, and then click OK.

Understanding the New IIS_IUSRS Group

The IIS_IUSRS group replaces the IIS_WPG group. This built-in group has access to all the necessary file and system resources so that an account, when added to this group, can seamlessly act as an application pool identity.

As with the built-in account, this built-in group solves several xcopy deployment obstacles. If you set permissions on your files for the IIS_WPG group (that was available on IIS 6.0 systems) and tried to copy those files to another Windows computer, the group's SID would be different across the computers and your site's configurations would be broken.

Since the group SID in IIS 7 and above is the same on all systems that are running Windows Server 2008, you can use 'xcopy /o' to preserve the ACL's and ownership information as you move files from computer to computer. This makes xcopy deployments easy.

IIS 7 and above also makes the process of configuring an application pool identity and making all necessary changes easier. When IIS starts a worker process, it needs to create a token that the process will use. When this token is created, IIS automatically adds the IIS_IUSRS membership to the worker processes token at runtime. The accounts that run as 'application pool identities' no longer need to be an explicit part of the IIS_IUSRS group. This change helps you to set up your systems with fewer obstacles and makes your overall experience more favorable.

If you want to disable this feature and manually add accounts to the IIS_IUSRS group, disable this new feature by setting the manualGroupMembership value to 'true'. The following example shows how this can be done to the defaultAppPool:

<applicationPools>

    <add name="DefaultAppPool">

        <processModel manualGroupMembership="true" />

    </add></applicationPools >
 

Copy From:lzb

Understanding Built-In User and Group Accounts in IIS 7的更多相关文章

  1. [Asp.Net]Understanding Built-In User and Group Accounts in IIS

    昨天把程序IIS6迁移到IIS7,出现异常 解决办法:文件夹选项权限增加IIS_IUSER 资料来源: http://www.iis.net/learn/get-started/planning-fo ...

  2. mysql 5.7.17发布

    Mysql 5.7.17发布了,主要修复: Changes in MySQL 5.7.17 (2016-12-12, General Availability) Compilation Notes M ...

  3. Fedora 22中的用户和用户组管理

    The control of users and groups is a core element of Fedora system administration. This chapter expl ...

  4. Achieving High Availability and Scalability - ARR and NLB

    Achieving High Availability and Scalability: Microsoft Application Request Routing (ARR) for IIS 7.0 ...

  5. 一键安装GitLab7

    1. Install and configure the necessary dependencies If you install Postfix to send email please sele ...

  6. windows msiexec quiet静默安装及卸载msi软件包

    aaarticlea/png;base64,iVBORw0KGgoAAAANSUhEUgAAAoUAAAA4CAIAAAAEgBUBAAAIj0lEQVR4nO2dQXLcOAxFdbXJ0aZys6

  7. Windows Access Token

    security descriptor A structure and associated data that contains the security information for a sec ...

  8. ASP.NET IIS Registration Tool (Aspnet_regiis.exe)

    IIS Version Special cases for 32-bit versions of Aspnet_regiis.exe 6.0 You can run the 32-bit versio ...

  9. Archlinux系统配置学习笔记(一)

    本文档是有关Archlinux系统配置的学习笔记,参考和学习的是Archlinux官方网站上的相应文档:General Recommendations. 这里的配置主要是针对按照官方网站上的文档刚刚完 ...

随机推荐

  1. Oracle数据库中字符型字段按数字排序

    今天在转换数据时,遇到了一个主键排序的问题.字符型的主键,保存的都是数字,数据导过来以后发现数据排序都是乱的,就想着按数字规则排序. 但发现to_number总是报错,就想着里面应该是有字符存在.后来 ...

  2. 深入理解javascript原型和闭包——从【自由变量】到【作用域链】

    一直对闭包和变量作用域链模糊不清!!!有时都怀疑自己是不是脑袋秀逗啦还是范萌!! 先解释一下什么是“自由变量”. 在A作用域中使用的变量x,却没有在A作用域中声明(即在其他作用域中声明的),对于A作用 ...

  3. 【BZOJ4715】囚人的旋律

    题解: 思考了很久这个图的特点没有发现 看了题解瞬间醒悟原来要在序列上做 还原出这张图显然是O(N^2)可以做的 然后其实就比较简单了 首先为了满足独立集,我们需要保证所取元素递增 为了满足覆盖集,我 ...

  4. Python_subprocess模块

    subprocess中,允许生成新的进程,连接到input/output/error管道,并获取他们的返回(状态)码,主要用于替换os.system/os.spawn*几个旧的模块和方法 subpro ...

  5. Kudu-压缩

    随着时间的推移,tablet会积累许多DiskRowSets,并且会在行更新时累积很多增量重做(REDO)文件.当插入一个关键字时,为了强制执行主关键字唯一性,Kudu会针对RowSets查询一组布隆 ...

  6. java生成二维码以及读取案例

    今天有时间把二维码这块看了一下,方法有几种,我只是简单的看了一下  google  的  zxing! 很简单的一个,比较适合刚刚学习java的小伙伴哦!也比较适合以前没有接触过和感兴趣的的小伙伴,o ...

  7. 第四周java学习笔记

    1.封装 封装可以理解为把方法封在类中,用打时候可以直接拿,就好比你要上学,类就是书包而方法就是书,要用方法打时候直接从书包中拿书就行. 2.类语法细节 public权限修饰 public是个公开类, ...

  8. day24 面向对象,交互,组合,命名空间,初始继承

    面向对象的命名空间: #属性:静态属性 (直接和类名关联或者直接定义在class下的变量) # 对象属性 (在类内和self关联,在类外和对象名关联的变量) # 动态属性(函数) class Foo: ...

  9. ajax 的一些参数

    $.ajax()方法详解   jquery中的ajax方法参数总是记不住,这里记录一下. 1.url: 要求为String类型的参数,(默认为当前页地址)发送请求的地址. 2.type: 要求为Str ...

  10. Python 2.7 cython cythonize py 编译成 pyd 谈谈那些坑

    Python 2.7 cython cythonize py 编译成 pyd 谈谈那些坑 前言 基于 python27 的 pyc 很容易被反编译,于是想到了pyd,加速运行,安全保护 必要准备 安装 ...