Creating user accounts for IIS 6

Categories:

By default IIS is installed to run using the credentials of the iusr_machinename user account for anonymous access and is configured with the least amount of privileges required to run a website making it ideal for a lot of smaller environments. Sometimes though it is necessary to configure multiple IIS user accounts to segregate web applications and/or users to increase security. Although the task of creating a new IIS user account while ensuring that it is only granted the minimum privileges to the system might sound like a complicated task, it is in fact quite easy as far as system administration task go. In this article we'll look the five steps involved in creating user accounts for IIS 6.

Create the account

The first step is to create the user account which can be done by following these steps;


  • Start the Computer Management console from under the Administrative Tools menu item from the Start menu.
  • Expand the Local User & Groups node, right click on the Users container and select New User.
  • Enter the username, password and description details for your new user and ensure the user cannot change password and password never expires check boxes are ticked.
  • Click the create button to create your user.

Set the group membership

Once you've created your account you should see it listed in the right hand pane of the screen of your computer management window. The next step is to set the group memberships for this account, to do this;


  • Right click on your new user and select Properties.
  • Select the Member of tab, select all the groups in the list and click the remove button.
  • Click the Add button, type in guests and then click on Ok.
  • You can now close the computer management window.

Set the NTFS permissions

You now have your user created and the appropriate group memberships set. The third step is to provide access to your content for your newly created account. To do this simply;


  • Open Windows Explorer, navigate to the directory that contains your content and then right click it and select Properties.
  • Select the Security tab, click the add button then type in the username of your account and click Ok.
  • From the security tab select your IIS user and then set the appropriate permissions below in the permissions window. At a minimum your user account will need the read permission, and may also need the execute and write depending on your requirements.
  • Once your permissions are set, click the Ok button to set them and exit.

Edit the local security policy

The fourth step to creating user accounts for IIS 6 is to set the local security policy. To do this you will need to;


  • Start the Local Security Settings console from under the Administrative Tools menu item from the Start menu.
  • Expand the Local Polices node and select the User Rights Assignment container.
  • Double click on the Access this computer from the network item, click add users or groups, enter your username and click the Ok button.
  • Repeat the last step for the Allow log on locally and Log on as a batch job items.
  • Close the Local Security Settings console

Configure IIS to use your new account

The last step is to now configure IIS to use your newly created user account for anonymous access. To do this;


  • Goto the Start menu, select Run and type inetmgr and press Ok .
  • Navigate to where you want to use the new account, right click and select Properties.
  • Select the Directory security tab and click the Edit button from under the Authentication and access control section at the top.
  • Ensure the Enable anonymous access check box is ticked and enter the username and password for your new IIS user account.
  • Click the Ok button and close the IIS console.

You should now have configured IIS to use your new user account which can now be used for greater granularity of permission control between users and applications, as well as other general system administration tasks such as event log tracking and quota management. If you have any comments or feedback on this article please feel free to post a comment here. If you would like support then please fee free to post in our forums.

Average rating
(4 votes)

Comments

Anonymous's picture

Nice article

Really this is the exact thing I expected. My clarifications are solved and our site is working!!!

Brashquido's picture

Good to hear! Glad I could

Good to hear! Glad I could help.

----------------
Dominic Ryan
5 x Microsoft IIS MVP, MCSE, MCSA
IIS Aid owner/webmaster

Anonymous's picture

Nice easy to understand

Nice easy to understand article!

I implemented this method for website on our server that will be developed under a 3rd party. With ftp access, and scripts allowed, it's possible that someone could upload a web-based file browser script to view directories and files that should not be viewed. The user account method you explained prevents unauthorized access when using the FileSystem Object in ASP, but an ASP.NET script can still access other files on the server, and I'm not sure about a PHP script. Can you provide any guidance for this?

Anonymous's picture

Nice easy to understand

Nice easy to understand article!

I implemented this method for website on our server that will be developed under a 3rd party. With ftp access, and scripts allowed, it's possible that someone could upload a web-based file browser script to view directories and files that should not be viewed. The user account method you explained prevents unauthorized access when using the FileSystem Object in ASP, but an ASP.NET script can still access other files on the server, and I'm not sure about a PHP script. Can you provide any guidance for this?

Anonymous's picture

Scripting Security

Nice easy to understand article!

I implemented this method for website on our server that will be developed under a 3rd party. With ftp access, and scripts allowed, it's possible that someone could upload a web-based file browser script to view directories and files that should not be viewed. The user account method you explained prevents unauthorized access when using the FileSystem Object in ASP, but an ASP.NET script can still access other files on the server, and I'm not sure about a PHP script. Can you provide any guidance for this?

Brashquido's picture

It's all in the permissions

You're using the same user account for FTP and HTTP? At the end of the day, it all comes down to permissions. Review your permissions structure for your HTTP users, and make sure they don't have write permissions unless they need it, and make sure you keep a handle on any impersonation that might be going on.

----------------
Dominic Ryan
5 x Microsoft IIS MVP, MCSE, MCSA
IIS Aid owner/webmaster

Anonymous's picture

very helpful

This was incredibly clear and very easy to read. You used formatting the way it should be used. That's a rare and special thing on the internets.