Anonymous User Control; Magic of RPC; Storm Stories; more
Automated Security
As the primary admin for a Windows 2000 network for a graduate school,
I look forward to implementing new ideas to ease my daily pains for Active
Directory administration. I’ll certainly be able to apply some of the
techniques employed in February’s article, “Automate Your Security” by
Don Jones.
I’ve assembled a variety of methods to change actual service accounts, yet I’ve been unable to locate anything to change the “anonymous user” service account in IIS, along with the password. With various levels of development, staging and production accounts for various Web services, I have about 100 entries spread throughout the server farm that desperately need a password change out.
The old paradigm of assigning security permissions to groups rather than users
didn’t get followed on the initial implementation of these service accounts. Likely, I’ll revamp that and grant the various NTFS permissions for the file services to a new group and then populate the group with several different accounts, including the current anony accounts. This way, I could approach servers one at a time and migrate the system without having to hit everything in the enterprise in one fell swoop.
Here’s an example. IIS Anony User name on WebserverA: UsernameA PW:****, a member of the Production Web Service accounts group. WebserverB also uses this account, as do 20 other components elsewhere. So instead of resetting the domain account password and having nearly everything break instantaneously, I’ll create a new account with the Service Account Group membership and change each server/
service at a time until I no longer have UsernameA logging in anywhere. Finally, I can reset the original UsernameA account password or get rid of it altogether.
In my current madness, I’ll have to reset the account password at the Domain Level, then quickly click the OK buttons on each machine (I’d likely have the config dialogs for each box on my screen as a pre-stage effort). This will work, as long as I find all the accounts, and start/stop all the services. Inevitably, I’ll miss something. Even with a script to modify these accounts, there will be global downtime.
I’m looking forward to “Groupifying” my IIS Web anonymous connection
accounts, but in the meantime, if Don has any suggestions on modifying
this entry across the domain, I’d appreciate it.
—Bob Fuller, MCP
Glendale, Arizona
Actually, IIS 4.0 and later can automatically control the anonymous
user account’s password, without any intervention from you as an administrator.
IIS 6.0, for example, also has the capability. Knowledge Base article
332167, “IIS 6.0: HOW TO: Configure IIS to Control the Anonymous Password,”
details how it works; IIS 6.0 turns the feature off for various reasons
by default. KB article 184730, “Password Sync and IIS 4.0 Return FrontPage
Error,” explains some issues about the way IIS 4.0 handled password management,
which you might check up on.
The trick might be that you’re using a domain account, rather than
the default local account. IIS can’t auto-manage a domain password because
no single IIS server would be able to change the password and notify everyone
else who’s using the account.
However, if you’re running IIS 5.0 or later, the IIS metabase is
scriptable through a COM object. So, if all the Web servers are using
one domain account, then it’s possible to write a script that tells every
IIS machine what the new password is.
Hope that helps a bit, and I’m glad you found the article useful!
—Don
Jones
What a nice article. I wanted to give a heads-up on the unreliability of last logon. On NT domains, I noticed when I wrote a script for the same purpose, that the domain controller that last authenticated the user was the correct last logon. I had to go through all controllers and find the last.
I didn’t do this for Windows 2000 in compatibility or native AD, but
it could be a similar situation.
—Levi Patrick II, MCP+I, MCSE, CCNA
Rockford, Illinois
NT correctly populates the attribute, but doesn’t replicate it; as
you noted, you have to query every domain controller and take the latest
date and time for each account. Win2K does the same thing—only Windows
Server 2003 domain controllers correctly replicate the attribute, meaning
you can get the latest info from just one DC.
—Don Jones
It’s Magic
Great information in Bill Boswell’s February “Windows Insider” column,
“The Magic of RPC over HTTP.” That was the single biggest feature that
caught my eye about Exchange 2003. We were running RPC to our Exchange
2000 server over the Internet until all major ISPs started blocking TCP135.
All of our users were then forced to use a VPN client. It was difficult
to convince some users that simply double clicking an icon before launching
Outlook really wouldn’t kill them...
—Eric, via online
Detroit, Michigan
Storm Stories
I read Derek Melber’s “Storm Stories” in the February issue. The junior
administrator who applied a Group Policy Object to all servers should’ve
been beaten severely. We’ve all made mistakes, but junior admins need
to be scared when messing around with AD. I remember the first time I
changed the company-wide login script. I checked and tested it at least
10 times. I was nervous as heck the next morning when everyone was logging
in, but I was there watching for problems. I recognized that the changes
I made could have a large impact. Messing with a GPO without checking
to see what OUs it’s linked to indicates that the junior admin isn’t taking
his job seriously enough.
—Ron, via online
Kansas
In Disaster Scenario 1, instead of editing the registry over the network,
apply Service Pack 4 to the DC and run dcpromo /forceremoval. See: http://support.microsoft.com/default.aspx?scid=kb;en-us;332199
—Doug Sherman, via online
Taking Control
Mark Wingard’s “Take Control of Your Users” in the January
issue was excellent. Where was this article seven years ago? Unfortunately
for me, I had to learn all of those things the hard way. If I didn’t
know better, I’d say that you were spying on my life seven years
ago. Today, I manage a company of 500+ users with little effort and very
happy managers and employees.
—David Tamayo, MCP, CCNA, CNA
Alexandria, Virginia
Let’s see, seven years ago I was also struggling with the same issues,
but nobody had asked me to write an article about it! Best practices in
desktop management has been an evolving field, and folks like you and
I have had to learn it the hard way. Unfortunately, there are no books
on the subject that I’m aware of, and articles seem to be hard to
find, as well. I’m glad you liked the article.
—Mark Wingard
Free Thinking
In addition to the very good code of ethics that was referenced at
SAGE.org, please also note the very long-standing set of professional
conduct and ethics codes which have been in place for AITP (Association
of IT
Professionals) members for many years: http://www.aitp.org/organization/about/conduct/conduct.jsp
Thanks for talking about the subject; it definitely needs to stay in
people's minds.
—Tim Plas, MCP