Should Anonymous access be enabled, or disabled in IIS for Notification Server and the Symantec Management Platform?

book

Article ID: 180599

calendar_today

Updated On:

Products

Management Platform (Formerly known as Notification Server)

Issue/Introduction

 

Resolution

Question
I've recently been requested to tighten security in our systems and want to know more about how Altiris uses Anonymous Access in their products. I've noticed that the IUSR account is being used. Is this necessary or can it be disabled? Do the Altiris solutions require Anonymous Access to be enabled in IIS to function?

Answer
There are really two answers to this issue:

  1. Console Access and functionality requires Anonymous access to be disabled.

    Simply put, anything in IIS that involves the console is managed via role/scope based security.  Accordingly, if anonymous access is enabled, then that security is bypassed, and will fail. For any virtual directories and folders in IIS that are a part of the console, the security therefore must only include windows based authentication so a valid user account can be determined and appropriate access applied.  You should probably remove anything other than Windows authentication for these kinds of virtual folders.
     
  2. File and Policy access (such as, packages) prefer Anonymous access to be enabled.

    Since most clients are not in fact defined a role in Altiris, they generally use anonymous access to reach files and policies, and to post their information to the Notification Server. In general, this includes the NSCap folder and everything beneath it, though there may be other folders as well. This is where policies will be posted, where agent installation packages are picked up, and where software packages are reached from the client.  However, if IIS is able to authenticate against integrated security, this can also work, but is generally not recommended.
     
  3. Many folders can use either, but will prefer to have Anonymous enabled.

    There are many other virtual folders for other products like Patch Management and Task Management that can use either integrated or anonymous.  However, by default, the agents often attempt anonymous before integrated security.  Thus, if you have anonymous disabled, IIS has to do 2 or 3 times the work: once or twice to deny access and finally to allow access via integrated windows security.  Therefore you reduce problems and save performance on IIS if you enable Anonymous access.