IUSR and IIS_USRS

When a user connects to an IIS Web site, the files and content are accessed by IIS in the context of an impersonated user. Whatever permissions and privileges the impersonated user has, so too does the connecting Web site user. This is an extremely important point to remember when configuring IIS security. IIS allows authenticated and anonymous connections. Authenticated connections must use a valid SAM or Active Directory security principal account, or any one of those additional authentication types added in IIS 7, one mapped to an external source, such as SQL, Oracle, and so on.

When IIS 7 is installed, a default user account is created called IUSR _, where <computername> is the name of the computer where IIS is installed along with a new group called IIS_IUSRS. In the past, IUSR_<computername> was the service account associated with any anonymous connection to the World Wide Web or FTP services. In IIS 7, the IUSR_<computername> account is deprecated. It has no default permissions and is included for backward-compatibility purposes only.

Any user or service account belonging to the IIS_IUSRS group (there are no default members) can now be used as the IIS anonymous account. By default, the IIS_IUSRS group has only Read & Execute permissions to the \Inetpub\ wwwroot folder. Any authenticated user, by default, has Read & Execute permissions to \Inetpub and \Inetpub\wwwroot. Additional NTFS permissions can be given to both anonymous and authenticated user accounts.

Both IUSR_computername and IIS_IUSRS are built-in accounts with "well-known" security identifiers (SIDS), much like Administrator and Administrators. This is new for IIS 7 and it allows Web sites and content to be copied or moved to other servers, and for the permissions this user and group had to remain. In the past, the user and group permissions had to be re-set any time the web server content was moved to a new server because new SIDs were referenced.

To recap, IIS 7.0 runs using a combination of one or more worker processes (W3wp.exe), and one or more protocol listeners, applications pools, or identities-all slave to the permissions granted to them for the related Web site content.

Figure 1 shows a theoretical example of IIS running three Web sites within two application pools, one using HTTP, the other using Named Pipes. An additional application is running using Net.tcp using WAS. Users accessing a particular Web site run its files in the context of an impersonated user, either by specifically authenticating or by indirectly using an IIS anonymous user account that is part of the IIS_IUSRS group (not to be confused with the completely unrelated anonymous null session built-in account).

Figure 1: Example of IIS 7 running multiple web applications, with a range of components