Changing permissions on IIS Admin (iisadmin) service

Any time I do a lot of research on something, I like to document it here. With little details, here’s the problem and solution as point blank as possible:

Problem:
Vulnerability scan on our Windows 2003 Server reports that,

"On this site, there is a problem with IIS. The SMB service has insecure permissions for Everyone: IIS Admin Service (IISADMIN) : DC, WD, WO
http://www.dont.hack.me.com/"

Solution:

I found that “Everyone” user had access to the issadmin service:

“D:” – Discretionary ACL (DACL) controls.
“S:” – System Access Control List (SACL), controls
“A;;” – Allow
“WD” – Everyone

Checking another webserver we have, I found slightly different permissions, but definitely did not have the “WD” (Everyone) as part of the “D:” Discretionary permissions:

So I removed the “WD” entry:

I restarted the service, and checked the various running websites, and all seemed ok. With out another vulnerability scan I won’t know for sure if the scan no longer finds this, but still removing Everyone from the iisadmin service seemed like a good idea.

Rate This Article:

One Comment

  1. russds says:

    I found this site helpful: http://msmvps.com/blogs/erikr/archive/2007/09/26/set-permissions-on-a-specific-service-windows.aspx it lists all the various translations for those cryptic permissions letters. (WD, A:, CC, DC, etc.)

Leave a Comment

You must be logged in to post a comment.