Under the topic of Anonymous Authentication, the IIS Help file states, "The anonymous account must have the user right to log on locally. If the account doesn't have the Log On Locally permission, IIS will not be able to service any anonymous requests." However, when I tested the anonymous logon, it seemed to be a network logon, not a local logon. Does the IUSR account require the Log On Locally right, as the documentation states?

In this case, the documentation is wrong. Strangely, it has been wrong for a long time. The IUSR account doesn't require the Log On Locally right. You can prove this point by enabling the Success for Audit Account Logon Events option, then checking the Security log in Event Viewer. As Figure 2 shows, you'll see the IUSR account logon event. Notice that the Logon Type field has a value of 3. This value corresponds to a network logon. A local logon (also called an interactive logon) is Logon Type 2. (For a description of the Logon Types, see the Microsoft article "Distinguishing Windows NT Audit Event Records," http://support.microsoft.com/default.aspx?scid=kb;en-us;q140714.)

The IUSR account has long been associated with the Log On Locally user right, so when I first discovered this error, I couldn't believe it. However, in Windows 2000, you can deny rights as well as assign them, so I conducted an experiment to deny the Log On Locally right to the anonymous account. This denial had no effect whatsoever on anonymous access to the test Web site.

End of Article


You must log on before posting a comment.

If you don't have a username & password, please register now.

Reader Comments

I disagree with the information presented in this article. ASsuming we aere using anonymous logon, the log on type is determined by the check box in the section where we define the anonymous user/pwd.

If the check box "Allow IIS to Check Password" is checked, it creates a network logon, if it is not checked, then a local logon shows up in the eventlogs.

Zombie- September 29, 2003

Does the above logic also apply if you have all methods of authentication turned off except for anonymoous access, and you are testing the web site locally.

Norm Laymon- May 07, 2004

The information in the original post is not complete, and therefore not entirely accurate. If the server is configured to allow anonymous access, but does *not* allow IIS to manually synchronize passwords, anonymous login attempts will, in fact, be recorded as *local* login attempts. Conversely, if IIS does perform automatic password synchronization ("Allow IIS to control password" is checked on the Anonymous User Account dialog from the WWW Service Master/Directory Security dialog), then the authentication will be performed by a special IIS subauthentication DLL (IISSubA.dll). Authentication handled by subauthentication DLL's are reported as *network* logins, and thus do *not* require Log On Locally privs, but *do* require "Access This Computer from the Network" privs.

The facts explaining this situation can be reviewed in detail at http://support.microsoft.com/kb/218756/EN-US/

-David Whitney unchecked@cox.net

Anonymous User- December 02, 2004