Simple anonymous access question  
Author Message

PostPosted: Fri Mar 31 16:37:38 CST 2006 Top

ASP/Active Server Pages >> Simple anonymous access question

I have what I think is a simple question but I am finding nothing but
complicated answers.

I have a web site running on IIS6. One directory used to use an
alternate account as the anonymous user (not the IUSR_ServerName
account) to connect to a database, etc. Now the pages in that
directory no longer do anything special and I just want to start using
the default IUSR_ServerName account again. I put that account back in,
but what do I put in as the password? I am reading all about security
improvements, network service vs. local system, unprivileged vs.
priveleged, etc. I realize there is no longer a "Let IIS control
password for anonymous account" option, but all I want to know is, HOW

Web Programming165  

PostPosted: Fri Mar 31 16:37:38 CST 2006 Top

ASP/Active Server Pages >> Simple anonymous access question (Sorry I realized I unintentionally posted this to the ASP newsgroup)
Ok, I have figured this out - it may not be the bast way, so feel free
to comment. I downloaded the IIS Metabase Explorer (included in the
IIS6.0 resource kit from -
Using metabase explorer, I navigated to (servername) -> LM -> W3SVC and
found the property AnonymousUserPass. By default, it doesn't display
secured data, so you have to select View -> Secure Data. Because I
didn't want to reconfigure all of my sites, I didn't want to change
this password, so I copied it and pasted it into IIS where you set the
anonymous account and password. Voila, everything was happy.

This seems silly to me for a couple of reasons. First, every document
I found said you have two options to fix this - enable
sub-authentication and run the directory as LocalSystem (effectively
disabling much of the security enhancements of IIS6.0), or edit the
metabase and change the password to a value know by you. The former
option is a complicated and unnecessary solution to a simple problem.
The latter option would require you to reset the password in IIS on
every site (and every folder in every site using a different
authentication method or account than the main site). Why didn't I
ever find a document that described what I did, which seems to me to be
the easiest way to just get back to the default?!

Another concern is that the password is stored in the metabase in plain
text. (Oh, but that's ok, because no hacker could ever figure out
using metabase explorer and figure out the option of view -> secure
data.?!?!?) Now I know that the IUSR account should have virtually no
privileges other than to read websites, but still, the concept of
storing an account's password in plain text is always disconcerting.

Another concern is the ability to take down every single website on
your server using anonymous access by editing your metabase and
changing the AnonymousUserPass property. Sounds like a hacker's dream
come true to me (granted, if they had access to your metabase, there's
probably lots worse things they could do...)

Please correct me in my assumptions if I am incorrect in anything I
have said - I am moving from IIS5 to IIS6, so I'm still learning the
ins and outs of IIS6.