Announcement

Collapse
No announcement yet.

Risks with changing iusr service account

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Risks with changing iusr service account

    I just spent 90 minutes troubleshooting our WSUS implementation... clients were not able to report, getting error 401s.

    I even tried reinstalling SUS.

    End result: the web service needs 'anonymous' access enabled. in most normal situations, this is configured for the iusr_SERVER account.
    In ours, it was domain\ADMINISTRATOR


    Dear God this worries me. I only identified it because we did a routine change of the DA password on the weekend.


    Just out of interest, while I know this is a Very Bad Thing, and I have changed it to an appropriate account, what sort of issues could this cause ?

    I'm assuming that if someone is able to find a flaw in the WSUS pages, say the ability to execute code, then it would execute as the DA account, is this correct ? (executes under the authority of the account running the site?)
    Please do show your appreciation to those who assist you by leaving Rep Point https://www.petri.com/forums/core/im.../icon_beer.gif

  • #2
    Re: Risks with changing iusr service account

    Originally posted by tehcamel View Post
    I'm assuming that if someone is able to find a flaw in the WSUS pages, say the ability to execute code, then it would execute as the DA account, is this correct ? (executes under the authority of the account running the site?)
    Even i assume what you say is correct. In the wake of this assumption, I recently changed the Anonymous access ID from an Domain ID to IUSR when we migrated off the existing server to a new one.

    If using a domain ID with admin rights wouldn't enable the exploitation of the web-site, please someone throw some light on it.

    Norbert

    Comment


    • #3
      Re: Risks with changing iusr service account

      Originally posted by tehcamel View Post
      I just spent 90 minutes troubleshooting our WSUS implementation... clients were not able to report, getting error 401s.

      I even tried reinstalling SUS.

      End result: the web service needs 'anonymous' access enabled. in most normal situations, this is configured for the iusr_SERVER account.
      In ours, it was domain\ADMINISTRATOR


      Dear God this worries me. I only identified it because we did a routine change of the DA password on the weekend.


      Just out of interest, while I know this is a Very Bad Thing, and I have changed it to an appropriate account, what sort of issues could this cause ?

      I'm assuming that if someone is able to find a flaw in the WSUS pages, say the ability to execute code, then it would execute as the DA account, is this correct ? (executes under the authority of the account running the site?)
      Its sad how common this is. At my last place my boss setup all the SharePoint services to run as the DA. My current employer runs a heavily used intranet site as the DA...

      The risks are as you say; if someone figured out a hole in IIS it would execute as the DA under some situtations.

      Comment

      Working...
      X