Will this prevent 'anonymous' IIS connections?

  • Thread starter Thread starter Ohaya
  • Start date Start date
O

Ohaya

Hi,

We're running a machine with Win2K Advanced Server. It's configured as
a domain controller, and we also have IIS running on it. The website we
have running on IIS is configured to "Allow anonymous" connections.

I've been told that as part of the company's standard security settings,
they want us to configure the Guests account on this machine to disable
"Access this computer from network" and "Log on locally".

I've been hesitant to do this because I am concerned that it would
prevent anonymous connections to IIS.


Can someone confirm whether this will be the case or not?

And, if it is not the case (i.e., if disabling those will not prevent
anonymous IIS connections), how do I go about disabling them? When I
look in Local Policies, the local policy is unchecked, but the
"Effective Policy Setting" box is grayed out and checked.

Thanks in advance!
 
You can tell IIS what account to use for anonymous
access. Go into the properties for the site and check the
security, and where you can check "anonymous access",
there's a tab there for "edit" where you can tell it what
account to use. Just make sure it's a legitimate account
w/ no more rights than it needs.
 
The IUSR_computer name account requires the logon locally user right to work for
anonymous web access. It is a member of the guests group. You could however deny
access to the "guest" account itself for both network and local access. If the guests
group requires deny, then you will have to create a new account to use for anonymous
access and configure the account properties to be the same except for being a member
of the guests group. IIS will have to manage the password also as it does with
IUSR_computername.

If you can not change the settings in Local Group Policy, that means that a higher
priority policy such as domain or OU have those user rights assignments defined and
you will have to make changes at that level or move the server into it's own OU that
has it's own GPO that you could then configure for the server. --- Steve
 
Back
Top