Title: How to Change in IIS 6.0 and Com+ from Local Iusr and Iwam accounts to Domain Service Accounts

Disclaimer

This document is not necessarily a set of steps endorsed by, tested by, or guaranteed by Microsoft Product Support. It has not been peer reviewed and offers no guarantees for any or every environment. It is just one support engineer’s method for making the shift from two or three local accounts to two or three domain accounts in IIS 6.0. It is possible some steps may have been forgotten. This is a use-at-your-own risk document.

Problem

Are there any whitepapers or other official Microsoft documentation on how to remove dependency in an IIS 6.0 server from the local Iusr account and local Iwam account (and possibly the local Network Service account) in favor of dependency upon one or more Active Directory Domain-level service accounts?

Summary

Although there are no official whitepapers, there are several KB articles which I felt could be compiled into something resembling a whitepaper. Based on these kbs (listed at the end of this article) I am suggesting a step-by-step sequence of (1) creating and configuring domain accounts to match the local accounts, (2) resetting NTFS permissions, (3) resetting user rights assignments, (4) adjusting domain policies, (5) backing up the metabase, (6) replacing the Iusr account at global and site levels in the IIS management console, (7) replacing the Iwam account in the IIS metadata with adsutil, (8) replacing the Network Service account in the application pools, (9) replace the Iwam account in Com+ through synciwam.vbs, (10) increasing auditing levels to troubleshooting ability when testing after changes are made.

Create and Configure Domain Accounts

1. Decide which accounts need to be replaced

Begin by deciding which local accounts should be replaced with domain-level service accounts and create corresponding domain accounts with the account name of your choice. There are only three account I'd recommend consider changing:

1. IUSR_MachineName - this user account is the anonymous guest account

2. IWAM_MachineName - this account is used mainly to launch Com+ components

3. Network Service - this account is created when IIS is installed and becomes the default account for Application Pool identities to run under

For the sake of this example, the domain account equivalent of each of the above local accounts will be:

1. IUSR_DomainName

2. IWAM_DomainName

3. NS_DomainName

2. Strong Passwords

When creating the accounts, please give them very strong passwords. Offered only as an example, an actual password for the Iusr account (created by one particular installation of IIS) for the IUSR password is "ROs4BKQ&8$Oy6g" and for the IWAM account is "R\vJ#1qeI?Rc4N."

3. Advanced configuration

In the Active Directory, attempt to set each account with the same settings that the corresponding account has in the local SAM. These settings may include the following:

Account active Yes

Account expires Never

Password expires Never

Password required No

User may change password No

Workstations allowed All

Logon hours allowed All

To know more exactly what properties the local accounts have, and which groups they are part of, consider running the following “net user” commands against the local Iusr and Iwam accounts on the web server.

C:\>net user iusr_machineName

User name IUSR_MachineName

Full Name Internet Guest Account

Comment Built-in account for anonymous access to Internet

Information Services

User's comment Built-in account for anonymous access to Internet

Information Services

Country code 000 (System Default)

Account active Yes

Account expires Never

Password last set 2/2/2007 10:21 AM

Password expires Never

Password changeable 2/3/2007 10:21 AM

Password required No

User may change password No

Workstations allowed All

Logon script

User profile

Home directory

Last logon 2/16/2007 3:59 PM

Logon hours allowed All

Local Group Memberships *Guests

Global Group memberships *None

The command completed successfully.

C:\>net user iwam_machinename

User name IWAM_MachineName

Full Name Launch IIS Process Account

Comment Built-in account for Internet Information Services

to start out of process applications

User's comment Built-in account for Internet Information Services

to start out of process applications

Country code 000 (System Default)

Account active Yes

Account expires Never

Password last set 2/2/2007 10:20 AM

Password expires Never

Password changeable 2/3/2007 10:20 AM

Password required No

User may change password No

Workstations allowed All

Logon script

User profile

Home directory

Last logon 2/6/2007 5:09 PM

Logon hours allowed All

Local Group Memberships *IIS_WPG

Global Group memberships *None

The command completed successfully.

If you choose to find a domain level replacement for the Network Service account, you’ll need to actually visit the local computer’s users and groups console.

Start button > Run > Open: LUSRMGR.msc [Enter] > select Groups > double-click IIS_WPG . . .

Note in particular the members of the local IIS_WPG group. Note how the local IWAM and the local Network Service accounts are part of it. When you configure your domain level IWAM and/or Network Service, it is highly recommended that you add them to the local IIS_WPG group on each web server.

There may be other groups you may wish to double-check.

The local IUSR account is usually a member of the Guests group but does not have to be. I would consider that to be optional but the only way to know for sure if that is truly optional in your environment is to test it out.

Re-configure NTFS Permissions and User Rights Assignments

Here I’d begin by familiarize yourself with the following kb article as the following steps are totally predicated upon it.

Kb 812614 “Default permissions and user rights for IIS 6.0”

http://support.microsoft.com/default.aspx?scid=kb;EN-US;812614

This kb article delineates the default and normal NTFS permissions and which "User Rights Assignments" need to be set for IIS 6.0 to function normally. Some people refer to this kb article as “the IIS Bible” due to its importance.

1. Begin by searching this kb article for IUSR

A. You should see that it the local iusr account has NTFS permissions of “Read&Execute, List, and Read” over the web content directories. The domain level replacement Iusr account will need the same permissions over the same files and folders:

· Inetpub\wwwroot (or content directories) IUSR_MachineName Read, execute

B. The Local Iusr account (and therefore the domain Iusr account) needs to have three User Rights Assignments:

· Access this computer from the network - IUSR_MachineName

· Allow log on locally (see Note) - IUSR_MachineName

· Log on as a batch job - IUSR_MachineName

2. Next search this kb article for IWAM and note that there are no NTFS permissions required, but there are four User Rights Assignments required:

Access this computer from the network	IWAM_MachineName
Access this computer from the network	IWAM_MachineName
Log on as a batch job	IWAM_MachineName
Replace a process level token	IWAM_MachineName

3. Network Service

Search the KB for Network Service to find out what rights it is supposed to have and, therefore, which rights its successor should have.

Adjust memory quotas for a process		Network service
Logon as a service		Network service
Replace a process level token	Network service

4. Additional Rights?

You may open the Local Security Policy Editor as follows: Start button > Run > Open: SecPol.msc [Enter]

It may be a good idea to peruse the local user rights assignments to see if any of your local accounts have been given rights greater than the default and, if so, set the domain accounts likewise.

5. Additional NTFS permissions?

Generally speaking, the default and normal NTFS permissions on the web content directories and files are:

Administrators – Full control

IIS_WPG – RX, L, R

Iusr - RX, L, R

System - Full control

Users - RX, L, R (this is important only if you’re using integrated authentication in an intranet scenario and you want all users to have access to the website

You’ll probably want to add the new domain-level Iusr account in this way. You won’t need to add the IWAM or Network Service replacements since the replacements are presumably members of the IIS_WPG at this point in the process.

Adjust Policies

Adjust domain policies to reflect for the domain iusr and iwam accounts what was there for the local iusr and iwam accounts.

If desired/needed, run RSoP on the local accounts and their successors to compare and contrast.

323276 How To Install and Use RSoP in Windows Server 2003

http://support.microsoft.com/default.aspx?scid=kb;EN-US;323276

Back up the Metabase

On all IIS servers, please make a metabase backup before making any changes to the IIS configuration.

324277 How To Create a Metabase Backup by Using IIS 6.0 in Windows Server 2003

http://support.microsoft.com/default.aspx?scid=kb;EN-US;324277

302573 How To Back Up and Restore IIS

http://support.microsoft.com/default.aspx?scid=kb;EN-US;302573

http://www.microsoft.com/technet/scriptcenter/scripts/default.mspx?mfr=true

Scripts for iis 5, 5.1 and 6.0 – Search for the “Back Up the Metabase Using a Password”

Replace Iusr Accounts

On the IIS Web Server(s), open the Internet Services Manager. (Start > Run > Open: Inetmgr [Enter])

Right-click the folder named “Web Sites” in the left hand pane and choose properties from the gray menu.

Select the Directory Security tab > select Anonymous Access > Edit

Replace the domain user account with the default anonymous user account (IUSR_machinename) and password.

This will affect the change at the “global level” which will trickle down to any website created in the future.

Visit the properties sheet of every existing website and do the same thing in its properties sheet. This must be done to make the change in the existing web sites.

Test each website.

Replace IWAM account in the IIS Metabase

From the command prompt, go to the directory <system drive>:\inetpub\adminscripts and run the following commands to replace the local iwam account with your domain iwam account:

Cscript adsutil.vbs SET W3SVC/WAMUserName IWAM_DOMAINNAME

Cscript adsutil.vbs SET W3SVC/WAMUserPass "<password>"

Replace Network Service Account in Application Pools

If Network Service account is being replaced with a domain account, open the IIS manager and select the folder named “Application Pools” in the left-side pane.

Visit the properties sheet for every application pool you may have which you wish to replace the accounts on.

Place the bullet beside “configurable” and type the username and password to reflect the new account as seen in the screenshots below.

Test the websites and/or application pools.

Change IWAM in Com+

If you replaced the IWAM account in IIS, you’ll probably also want to adjust various Com+ properties to also accept the new IWAM account.

To do this you may want to run synciwam.vbs from c:\inetpub\adminscripts.

c:\inetpub\adminscripts\> cscript.exe synciwam.vbs -v

Synciwam.vbs will read the changes you made in the metabase and take those changes over into the DCOM catalog.

After synciwam has been run, doublecheck Com+ to make sure that all areas have been set properly.

On the Start menu, click Run . In the Run dialog box, type dcomcnfg, and then click OK .

Drill down into the Com+ Applications and change the view to Detail view, as seen below.

Note which Com+ components have IWAM listed in the Account column, as seen below.

Switch to the Identity tab to change from the local IWAM account to the domain IWAM account.

Before Testing

Before testing IIS and COM+ with the new accounts in place, it may be a good idea to ensure that you’re auditing for all failures in the Local Security Policy of the web server.

This way if there is a problem with one of the new accounts, you may have a greater chance of seeing a clue to the problem in the security event log.

Make changes if needed.

Run gpupdate /force

Test