Changing permissions on IIS Admin (iisadmin) service
Any time I do a lot of research on something, I like to document it here. With little details, here’s the problem and solution as point blank as possible:
Vulnerability scan on our Windows 2003 Server reports that,
"On this site, there is a problem with IIS. The SMB service has insecure permissions for Everyone: IIS Admin Service (IISADMIN) : DC, WD, WO
I found that “Everyone” user had access to the issadmin service:
“D:” – Discretionary ACL (DACL) controls.
“S:” – System Access Control List (SACL), controls
“A;;” – Allow
“WD” – Everyone
Checking another webserver we have, I found slightly different permissions, but definitely did not have the “WD” (Everyone) as part of the “D:” Discretionary permissions:
So I removed the “WD” entry:
I restarted the service, and checked the various running websites, and all seemed ok. With out another vulnerability scan I won’t know for sure if the scan no longer finds this, but still removing Everyone from the iisadmin service seemed like a good idea.