IIS 6.0 Security Issue

[camhabib]

Server running W2k3SEE and IIS 6.0. I have set up IIS with a basic HTML web page. I can go into IE and type in localhost and it now brings up the site. However, when I go into IE and type in 127.0.0.1 it prompts for a username and password. By clicking on cancel or clicking login, I get the "You are not authorized to view this page" message. Same happens when people try to access the site via the domain or ip. Anonymous connections are enabled with a username and password (IUSR_gateway) however I donÂ’t know the correct password for this account. Is there any way to delete this account and set up a new one with the same name that I know the password for? I couldnÂ’t find any such service that would allow me to do that. Thanks.

-Cameron

 

[macdude425]

I really don't know much about IIS; only that it pales in comparison to Apache.

Have you read the IIS readme?

 

[Tyler1989]

macdude your title needs to be "living in an amish paridis" or "party like it's 1699" again.

Ok make a user account on windows called "website" with no password. Configure IIS to log in with the user name website and no password in the IIS configureation. This will allow for instant connection where visiters do not need to type a username or password. This method has been tested on IIS6.0 I do not know if it works on IIS7.0Beta

 

[camhabib]

That much I know but my question is how do I create that user.

 

[Tyler1989]

Go to

Start > Control Panal > User Acounts > Creat a Account



Easy as that

 

[camhabib]

If W2k3SEE had a user panel like XP it would be........ Anyone who uses W2k3 know how?

 

[Tyler1989]

I have windows Advanced Server 2000 and Windows Server 2003 web-Data.

Though I am not running it now. Look harder it's in the start menu then there is a control panal (may not be called that) and it does have administravive tools and all that good stuff along with the ability to creat user accounts.

 

[camhabib]

Found the place to add users. Its under Computer Management. Tricky little spot. I reset the password and everythign works fine.

 

[Tyler1989]

Great so do your visitors require a password?

You did create a user account called website with no password and told IIS that correct?

 

[camhabib]

No, W2k3SEE by default creates a user named IUSR_servername where servername is the name of the server hosting the IIS service. It was just that while playing around with the IIS I has by mistake changed either the IUSR password or the password stored for it in all the webs. I reset the password, entered it into the webs, and users no longer require a password when accessing the non-secure part of the web. They do require a password when accessing the secure part which is how I want it.