Tuesday, November 19, 2019

Using a Domain Account for security vs. a Local User Account in IIS



Using a Domain Account for security vs. a Local User Account in IIS

Description

How do I replace Local User Accounts with a Domain Account for security?
Solution

Following are directions for web server configuration to replace Local User Accounts with a Domain Account.

1. On the server hosting xxx:

  • Ensure that the Domain User Account is in the Administrators Group on the server hosting xxx.
  • To ensure that the Domain User Account is in the Administrators Group:
  1. Log into the server hosting xxx using an administrator account.
  2. Logon to your xxx server and check the Local Users / Groups. Add the Domain User Account as a member of the Administrators Group.
Your login account (admin group) may not be the same as the service account below

2. In the Internet Information Systems (IIS) Manager:

  • Ensure the Application Pool for the app is using a service account (Domain User Account).
  • To check that the Application Pool for the app is using the service account (Domain User Account):
  1. This can be done by selecting the Application Pool for the app and Advanced Settings. Click on the Identity > enter the Domain User Account and password.
  2. Configure the website is connecting using the Domain User Account.
  • To check that the website is connecting using the Domain User Account:
  1. Configure the website "Basic Settings" to use the Domain User Account . Test settings to check if it passes. If not configure it to "connect as" the Domain User Account. Once you do this, test settings again to make sure it passes. ​
  2. Next under the website select the pool. Go to Basic Settings and configure to "connect as" the Domain User Account.
  • Ensure the Administrators group and the Domain User Account has been added to the local security policy
  • To check that the Administrators group and the service account has been added to the local security policy: *(this is the critical step)
  1. Go to Local Security Policy > Security Settings > Local Polices > User Rights Assignments > Log on as a batch job (double click to open file) Make sure the Local Administrators group and the Domain User Account has been added.
 3. Reset IIS:
  • Open a command window and run the following command:C:\> iisreset
 4. Check Website for proper operation:
  • Open a browser and navigate to the WhatsUp Gold application.
quoted from https://community.ipswitch.com/s/article/From-Case-security
Posted by at No comments:

value does not fall within the expected range


Custom IIS App Pool Identity: Value does not fall within the expected range


Export private key on good machine via command prompt:
C:\Windows\Microsoft.NET\Framework64\v4.0.30319>aspnet_regiis -px "iisWasKey" "C:\temp\AESKeys.xml" -pri

Import on broken machine via command prompt:
C:\Windows\Microsoft.NET\Framework64\v4.0.30319>aspnet_regiis -pi "iisWasKey" "C:\temp\AESKeys.xml"
Then make sure to use the block of code from good server to use on the bad so they match:
   <configProtectedData>
       <providers>
           <add name=........
           <add name=........
       </providers>
   </configProtectedData>

net stop was /y
net start w3svc

Posted by at No comments:
Subscribe to: Posts (Atom)