RE: WIN NT

[mikehow () microsoft com (Michael Howard)]

> a) I have a web server running ,MS IIS, I have enabled 
> anonymous access only
> and removed IUSR_computername account from user right "access 
> this computer
> from n/w" .....only "log on locally" right has been assigned to this
> account......but the client browser is not able to access web 
> server as it
> asks for n/w login and password. Is it mandatory to provide 
> both rights to
> IUSR account to enable anonymous access.

[mh] what's in the security audit log? you are auditing for
success/failed logon/logoff, right? if you have "anonymous pwd synch"
enabled then we do a network logon if you don't have this check then we
do a local logon. no, it is not mand. to add both rights to the account,
just the correct one depending on the pwd synch stuff. it's all doc'd in
the iis4 reskit security chapter. btw, new rights don't take effect
until the account re-logs on, so you may want stop/start the web server.
that'll guarantee you purge the cached logon handle.

Cheers, MH
Windows 2000 Security

<!-- attachment="asmime.p7s" -->
<HR>
<UL>
<LI>application/x-pkcs7-signature attachment: smime.p7s
</UL>