Security risk and consequence for user account as the member of IIS_IUSRS - Built-in group used by Internet Information Services?

Question

What are the risks and consequences of leaving or adding domain users as members of the built-in AD security group IIS_IUSRS - A built-in group used by Internet Information Services?

Will the members of the IIS_IUSRS - Built-in group used by the Internet Information Services security group be allowed to anonymously login into the IIS in my entire AD domain?

Answer 1

when there is no built-in Internal Web Application that is used in my AD Domain, is this builtin group membership still required?

IIS may have been installed as a requirement of some other software. WSUS for example. Open up the IIS manager and look at the defined web sites. What sites are running?

Look at the application pools. Are any of the accounts listed under the Identity column?

so if I remove the user from IIS_IUSRS builtin group membership, what will be the consequence when accessing the internally built Web App?

You must understand that we don't anything about the accounts that are listed in your IIS_IUSRS group, or where on your file system someone used that group for some purpose other than to grant IIS worker process accounts access to read the web content.

If the person who set up your web site (server?) did not understand the function of the IIS_IUSRS group, we have no way to know where that group was applied to file system security permissions. Thus we would have no way to know the impact of any change to group membership.

Who configured the server? Ask them why those accounts are in that group.

As I noted in first reply, according to the Microsoft documentation, there is no need for you to add any account to that group. When the IIS worker process starts up, IIS will add the token for that group to the account that the worker process executes as.

You need tell us something about the accounts that are listed in the group. Are these end user accounts? Are they software related accounts?

Answer 2

See https://learn.microsoft.com/en-us/troubleshoot/developer/webapps/iis/www-authentication-authorization/understanding-identities

When IIS starts a worker process, it must create a token that the process will use. When this token is created, IIS automatically adds the IIS_IUSRS membership to the worker processes token at runtime. The accounts that run as application pool identities no longer have to be an explicit part of the IIS_IUSRS group.

I don't think that there is any risk of anonymous login, but from my experience, the accounts that we used for worker process identities were application specific accounts where only highly trusted administrators had access to the password. We would never use an end user account as a worker process identity.

Are you confusing the IIS_IUSRS group with the IUSR account that is used for web sites that are set to anonymous login?

Answer 3

Hi, @EnterpriseArchitect

About IIS_IUSRS Group you could refer to this official document: https://learn.microsoft.com/en-us/iis/get-started/planning-for-security/understanding-built-in-user-and-group-accounts-in-iis. This IIS_IUSRS group has access to all the necessary file and system resources so that an account, when added to this group, can seamlessly act as an application pool identity. If you leave or add domain users as members of the IIS_IUSRS group, you are granting them the ability to run as application pool identities. This change helps you to set up your systems with fewer obstacles and makes your overall experience more favorable. It is depending on your security requirements. The IUSR account is the anonymous user identity refer to the link above: Understanding the New IUSR Account.

Best Regard,

TengFei Xie

---

If the answer is the right solution, please click "Accept Answer" and kindly upvote. If you have extra questions about this answer, please click "Comment". Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.