IIS 7 Authentication: What happened to the IUSR_MachineName account?

In previous versions of IIS, the IUSR_MachineName account is created for anonymous authentication. This is an actual user account created on the server (a domain account can be used in domain environments), and like all user accounts— it has a SID, and an account password with the accompanying management costs and risks.

One of the resulting annoyances (for me): when you install IIS first and then change the computer name, the computer name and the MachineName in IUSR_MachineName account don't match.

IIS 7 gets rid of the IUSR_MachineName account in favor of a built-in IUSR account that's guaranteed to have the same SID on all computers. This ensures ACLs copied from one web server to another work, domain accounts are no longer required, and applications can be easily deployed across multiple web servers. The IIS_WPG group (for IIS Application Pool identities) is replaced by the built-in group IIS_IUSRS.

Note: The IUSR_MACHINENAME account isn't completely gone— it is used for anonymous authentication to FTP, and gets created if/when you install FTP.

More on the IIS team blog in 'Understanding the Built-In User and Group Accounts in IIS 7.0'

- Security identifiers
- Well-known security identifiers in Windows operating systems

Announced: Plug-in for Exchange backups on Windows Server 2008

Windows Server 2008's new Windows Server Backup utility, the replacement for NTBackup, doesn't do Exchange backups out of the box.

I'm in Scott Schnoll's session where he just announced a new Microsoft plug-in that will do Exchange VSS backups. The tool will be released this summer.

More notes from this excellent session soon!

Longhorn: Active Directory Users and Computers console saves trips to ADSIEdit

One of the nice features I noticed about the Active Directory Users & Computers (ADUC) console in Longhorn server - in an object's properties, there's an Attribute Editor tab built-in, that allows one to directly edit an object's attributes. In previous versions, one had to use a tool like ADSIEdit to edit attributes not exposed by the ADUC user interface. The Attribute Editor will save trips to ADSIEdit for editing such unexposed attributes (for instance, the employeeID and employeeNumber attributes, as shown in the screenshot below). When directly editing AD attributes, it's important to ensure the validity of data so entered/changed, just like you would with tools like ADSIEdit.

'Crapware'-free: Longhorn Server does not include useless desktop apps

We've been hearing a lot about 'crapware' apps installed by hardware vendors on desktops and laptops - apps like AOL (or other ISP) software, myriad browser add-ins and toolbars, trial versions of anti-virus, firewall, and security software that you may never use - perhaps because your organization has standardized on some more manageable enterprise versions of such apps, or the apps installed are either not the the ones you would choose, or they're completely useless. Annoying as it is to get these apps installed by default, what's even more annoying is the fact that most vendors generally give you no choice to get a computer with a "clean"/base operating system installed.

Given the razor-thin margins in the PC industry, vendors cannot resist augmenting their bottom line through such deals with application vendors.

However, little attention has been paid to the crapware that comes with the operating system itself. For instance, why does a server OS need Windows Media Player installed by default? Cursors of different shapes and sizes? Themes and wallpapers? NetMeeting? It's a long list.

It's a common practice in many organizations, where servers are deployed/redeployed on a regular basis, to build a secure server image sans all these apps and services that are of no use on a server (further locked down using the organization's secure server build procedures).

Luckily, that's not the case with Longhorn server. None of the crapware or desktop-like apps get installed by default. Should you want to, features like "Desktop Experience" can be installed.


Click here for a complete screenshot

Additionally, Server Core - a barebones install of the OS sans the Windows Explorer GUI interface (can be managed locally from the commandline or remotely from a workstation with management tools installed), and purposing a server based on server roles - 17 of them available in Beta3, ensures Longhorn servers are leaner, with a reduced attack surface.

It's important to realize that the Windows management experience is going to change from the everything-turned-on-by-default model of previous versions of Windows (server and client OSes), where you disabled or removed the components you did not need, to one where you get a basic install that makes the OS functional, requiring other components to be added/enabled/configured later, as required.

One component that does get installed by default is Internet Explorer. It would be great to get rid of this as well - though a web browser may be seen as an essential component of the OS by many, particularly - as the argument goes - for the ability to download patches/updates/drivers, etc., do you really want to browse web sites from the server? Using IE?