Certified Mail

Anonymous User Control; Magic of RPC; Storm Stories; more

Automated Security
As the primary admin for a Windows 2000 network for a graduate school, I look forward to implementing new ideas to ease my daily pains for Active Directory administration. I’ll certainly be able to apply some of the techniques employed in February’s article, “Automate Your Security” by Don Jones.

I’ve assembled a variety of methods to change actual service accounts, yet I’ve been unable to locate anything to change the “anonymous user” service account in IIS, along with the password. With various levels of development, staging and production accounts for various Web services, I have about 100 entries spread throughout the server farm that desperately need a password change out.

The old paradigm of assigning security permissions to groups rather than users didn’t get followed on the initial implementation of these service accounts. Likely, I’ll revamp that and grant the various NTFS permissions for the file services to a new group and then populate the group with several different accounts, including the current anony accounts. This way, I could approach servers one at a time and migrate the system without having to hit everything in the enterprise in one fell swoop.

Here’s an example. IIS Anony User name on WebserverA: UsernameA PW:****, a member of the Production Web Service accounts group. WebserverB also uses this account, as do 20 other components elsewhere. So instead of resetting the domain account password and having nearly everything break instantaneously, I’ll create a new account with the Service Account Group membership and change each server/ service at a time until I no longer have UsernameA logging in anywhere. Finally, I can reset the original UsernameA account password or get rid of it altogether.

In my current madness, I’ll have to reset the account password at the Domain Level, then quickly click the OK buttons on each machine (I’d likely have the config dialogs for each box on my screen as a pre-stage effort). This will work, as long as I find all the accounts, and start/stop all the services. Inevitably, I’ll miss something. Even with a script to modify these accounts, there will be global downtime.

I’m looking forward to “Groupifying” my IIS Web anonymous connection accounts, but in the meantime, if Don has any suggestions on modifying this entry across the domain, I’d appreciate it.
—Bob Fuller, MCP
Glendale, Arizona

Actually, IIS 4.0 and later can automatically control the anonymous user account’s password, without any intervention from you as an administrator.

IIS 6.0, for example, also has the capability. Knowledge Base article 332167, “IIS 6.0: HOW TO: Configure IIS to Control the Anonymous Password,” details how it works; IIS 6.0 turns the feature off for various reasons by default. KB article 184730, “Password Sync and IIS 4.0 Return FrontPage Error,” explains some issues about the way IIS 4.0 handled password management, which you might check up on.

The trick might be that you’re using a domain account, rather than the default local account. IIS can’t auto-manage a domain password because no single IIS server would be able to change the password and notify everyone else who’s using the account.

However, if you’re running IIS 5.0 or later, the IIS metabase is scriptable through a COM object. So, if all the Web servers are using one domain account, then it’s possible to write a script that tells every IIS machine what the new password is.

Hope that helps a bit, and I’m glad you found the article useful!
—Don Jones

What a nice article. I wanted to give a heads-up on the unreliability of last logon. On NT domains, I noticed when I wrote a script for the same purpose, that the domain controller that last authenticated the user was the correct last logon. I had to go through all controllers and find the last.

I didn’t do this for Windows 2000 in compatibility or native AD, but it could be a similar situation.
—Levi Patrick II, MCP+I, MCSE, CCNA
Rockford, Illinois

NT correctly populates the attribute, but doesn’t replicate it; as you noted, you have to query every domain controller and take the latest date and time for each account. Win2K does the same thing—only Windows Server 2003 domain controllers correctly replicate the attribute, meaning you can get the latest info from just one DC.
—Don Jones

It’s Magic
Great information in Bill Boswell’s February “Windows Insider” column, “The Magic of RPC over HTTP.” That was the single biggest feature that caught my eye about Exchange 2003. We were running RPC to our Exchange 2000 server over the Internet until all major ISPs started blocking TCP135. All of our users were then forced to use a VPN client. It was difficult to convince some users that simply double clicking an icon before launching Outlook really wouldn’t kill them...
—Eric, via online
Detroit, Michigan

Storm Stories
I read Derek Melber’s “Storm Stories” in the February issue. The junior administrator who applied a Group Policy Object to all servers should’ve been beaten severely. We’ve all made mistakes, but junior admins need to be scared when messing around with AD. I remember the first time I changed the company-wide login script. I checked and tested it at least 10 times. I was nervous as heck the next morning when everyone was logging in, but I was there watching for problems. I recognized that the changes I made could have a large impact. Messing with a GPO without checking to see what OUs it’s linked to indicates that the junior admin isn’t taking his job seriously enough.
—Ron, via online

In Disaster Scenario 1, instead of editing the registry over the network, apply Service Pack 4 to the DC and run dcpromo /forceremoval. See: http://support.microsoft.com/default.aspx?scid=kb;en-us;332199
—Doug Sherman, via online

Taking Control
Mark Wingard’s “Take Control of Your Users” in the January issue was excellent. Where was this article seven years ago? Unfortunately for me, I had to learn all of those things the hard way. If I didn’t know better, I’d say that you were spying on my life seven years ago. Today, I manage a company of 500+ users with little effort and very happy managers and employees.
—David Tamayo, MCP, CCNA, CNA
Alexandria, Virginia

Let’s see, seven years ago I was also struggling with the same issues, but nobody had asked me to write an article about it! Best practices in desktop management has been an evolving field, and folks like you and I have had to learn it the hard way. Unfortunately, there are no books on the subject that I’m aware of, and articles seem to be hard to find, as well. I’m glad you liked the article.
—Mark Wingard

Free Thinking
In addition to the very good code of ethics that was referenced at
SAGE.org, please also note the very long-standing set of professional
conduct and ethics codes which have been in place for AITP (Association of IT
Professionals) members for many years: http://www.aitp.org/organization/about/conduct/conduct.jsp
Thanks for talking about the subject; it definitely needs to stay in
people's minds.
—Tim Plas, MCP

About the Author

Have a question or comment about an article or letter that appeared in MCP Magazine?


comments powered by Disqus

Subscribe on YouTube