Who is the anonymous user?!

Many questions that we get on the forum's are around which users need which permissions for what resources ... isn't that how life goes?  :) 

Anyways, to make this more complicated, we have changed "who" the "anonymous" user is in different versions of IIS.  We did this to make migration easier and to make configuration less machine dependent.  Also, the Web Deployment Tool will handle many of the migration difficulties that would arise from these changes (be thankful!) ... you can find Web Deploy here:  http://www.iis.net/extensions/WebDeploymentTool 

So let's walk through who the anonymous user has been and how they have changed.

First, what is the anonymous user?  This is the Windows user context that IIS impersonates when anonymous HTTP requests come into the web server.  Now, you can configure the "anonymous" user to be a specific Windows user, but I'll ignore that scenario for now, let's just talk about the default's. 

IIS 5.x & IIS 6.0 - the anonymous user was the IUSR_{computername} user ... this user was created when you install IIS and it had the computername appended to it; now in IIS 6.0 we added a permission that would explicitly DENY this user Write access to content (lots of viruses are potentially thwarted this way!) - see here:  http://www.microsoft.com/technet/prodtechnol/WindowsServer2003/Library/IIS/9ded7af2-fcb7-4ed2-b007-e19f971f6e13.mspx?mfr=true and here http://msdn.microsoft.com/en-us/library/aa292114(VS.71).aspx (this also talks about how IIS control's the password for this user - a sometimes problematic issue)

IIS 7.0 - the anonymous user is now IUSR always the same and just a simple name, this article goes into greater detail about this change: http://learn.iis.net/page.aspx/140/understanding-the-built-in-user-and-group-accounts-in-iis-70/ 
Since this account is now built into Windows, IIS no longer needs to control the password - (it doesn't really have a password)

I hope that helps clarify how the anonymous user has changed over time.  Next post is how the "process account" has changed over time.

Dave

No Comments