0

I'm trying to understand IIS 8.5 user account model.

IUSR: default anonymous user (can be changed). it is the identity which request the web resource

ApplicationPoolIdentity: a special identity used for app pools

IIS_IUSRS: it is a group where all special ApplicationPoolIdentity are in

IIS_IUSRS has read/execute permission on wwwroot folder

I don't get why IUSR does not have any permission on wwwroot folder

How could any web request not result in a 401???

giammin
  • 107
  • 2
  • 8

2 Answers2

3

If you look at the default permission for C:\inetpub\wwwroot:

BUILTIN\IIS_IUSRS:(RX)
BUILTIN\IIS_IUSRS:(OI)(CI)(IO)(GR,GE)
NT SERVICE\TrustedInstaller:(I)(F)
NT SERVICE\TrustedInstaller:(I)(OI)(CI)(IO)(F)
NT AUTHORITY\SYSTEM:(I)(F)
NT AUTHORITY\SYSTEM:(I)(OI)(CI)(IO)(F)
BUILTIN\Administrators:(I)(F)
BUILTIN\Administrators:(I)(OI)(CI)(IO)(F)
BUILTIN\Users:(I)(RX)
BUILTIN\Users:(I)(OI)(CI)(IO)(GR,GE)
CREATOR OWNER:(I)(OI)(CI)(IO)(F)

you can see the the Users group has read access, IUSR is automatically a member of the Users group, that's why it can access the files.

If you remove the permissions for Users you should get a 401.3

Peter Hahndorf
  • 13,763
  • 3
  • 37
  • 58
  • For some reason I had incorrectly remembered the IUSR being part of the guests group, how odd... – Reaces Jul 24 '15 at 11:04
1

Because the IUSR account is put in the users group by virtue of the NT Authority\Authenticated Users group.

Mostly these two exist for legacy reasons, but serve two distinct purposes.

  • The IUSR account is used for anonymous authentication
  • The IIS_IUSRS group is used to allow for security control for application pool users

There are some write-ups on the history and some decent information on the usage of the IUSR account and it's predecessor the IUSR_computername available.

Reaces
  • 5,547
  • 4
  • 36
  • 46