Friday, November 28, 2008

How to find the IUSR password and IWAM password in IIS

If you allow anonymous users to access your Web site, they'll be accessing your computer using the built-in IUSR_computername account that is created automatically by IIS.

Processes initiated by IIS run on your machine using the built-in IWAM_computername account, also created automatically by IIS.

This is all configurable -- you can configure IIS to use other accounts for anonymous access, and for processes. But by default, these are the ones that get used.

Here is how to find out the passwords for the IUSR or IWAM accounts:

1. Navigate to C:\Inetpub\AdminScripts

2. Edit the file called adsutil.vbs

3. Scroll down almost to the bottom, to where it says

If (Attribute = True) Then

IsSecureProperty = True

Else

IsSecureProperty = False

End If

4. On the first condition, change True to False, like this



5. Save the change.

6. Now that you have modified the script, you can run a couple of commands to discover the IUSR and IWAM passwords. Open a command window. To see the IUSR password, run this command:

cscript.exe c:\inetpub\adminscripts\adsutil.vbs get w3svc/wamuserpass

To see the IWAM password, run this command:

cscript.exe c:\inetpub\adminscripts\adsutil.vbs get w3svc/anonymoususerpass

The output will be in double quotes. The double quotes are not part of the password.

7. Once you've retrieved your passwords, edit adsutil.vbs again and change False back to True. You don't want someone with malicious intent to learn these passwords.

1 comment:

Jeroen said...

Note: the commands for the IUSR and the IWAM account have been switched. The IUSR is the anonymous user.