too many accounts in local users group

[Sam samuels]

Greetings
under the local users group I have found an account "IUSR", Internet Guest
account,"Built-in account for anonymous access to Internet Information
Services". There is also an "IWAM" account (full name, Launch IIS Process
Account) "Built-in account for Internet Information Services to start out of
process applications." Even more puzzling use and "account
unknown"(S-1-5-21-789..........) which does not show up under the local
users group |but instead under the security tab of one of my physical
drives.

Are These accounts for real or can they be deleted?

TIA

Sam

 

[David Candy]

Cause they are for real, if using IIS one would not delete them.. The number is probably an account on another computer or a deleted account.

 

[Sam samuels]

Thanks David,
my first thought was that they may have been indicative of some sort of
hijack ware.

 

[David Candy]

You (or perhaps the manufacturer) installed IIS (web server). It's part of Pro but isn't installed automatically (as only developers would really use it).

 

[Sam samuels]

Okay and thanks.
I know this is getting a little bit off topic but I found these "extra"
accounts when exploring how to keep particular drives and subfolders
private.
With simple file sharing turned off I gather that all drives,C$ or whatever,
are always shared by default for "administrative reasons".
From what I can make out however, all contained directories have "sharing
on network" and "sharing on web" turned off by default. Is this correct?
Then is it just a matter of going into the Security tab under folder
properties to set permissions for local users\groups and allowing the parent
directory to dictate permissions to the child directories is so desired?
Thanks again play a help
Sam

 

[David Candy]

There are a number of special hidden (what the $ does) shares that allow only admins in. One can administer any XP computer from any computer on a network.

There are file permissions, and there are share permissions. I always set permissions on a file basis and allow shares to be everyone (cause they are all logged on users).

Because you have IIS installed it adds some of it's own permissions.

 

[Kelly]

Sam,

You are varying here.... and I have no idea what you are asking, but with
this:

With simple file sharing turned off I gather that all drives,C$ or
whatever,
are always shared by default for "administrative reasons".

Disable Recent Shares in Network Places

This restriction stops remote shared folders from being added to Network
Places whenever you open a document in the shared folder. Per User or Per
System

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\
Explorer]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\
Explorer]

Value Name: NoRecentDocsNetHood
Data Type: REG_DWORD (DWORD Value)
Value Data: (0 = track shares, 1 = disable tracking)

Second one: Go to Start/Run/Regedit and navigate to this key:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanServer\
Parameters

Value Name: AutoShareServer, AutoShareWks
Data Type: REG_DWORD (DWORD Value)
Value Data: (0 = disable shares, 1 = enable)

Create a new DWORD value of either 'AutoShareWks' for NT Workstation or
'AutoShareServer' for NT server. Then set the value to equal '0' to disable
automatic sharing. If the values already exist then modify them to change
the value.

Restart Windows and the automatic shares should not be created.

 

[Kelly]

Because you have IIS installed it adds some of it's own permissions.

Interesting, David. )




There are a number of special hidden (what the $ does) shares that allow
only admins in. One can administer any XP computer from any computer on a
network.

There are file permissions, and there are share permissions. I always set
permissions on a file basis and allow shares to be everyone (cause they are
all logged on users).

Because you have IIS installed it adds some of it's own permissions.

 

[Sam samuels]

There are a number of special hidden (what the $ does) shares that
allow only admins in. One can administer any XP computer from any
computer on a network.

Okay so long as you are a member of one of the administrators groups you can
sign in either locally all over the network, turn on hidden system files and
access them.

There are file permissions, and there are share permissions.

I think this is where I was or am confused. I figured you have physical or
logical drives etc, each containing files, and that you could either "share"
at the drive level or at the file level.XP doesn't seem to let you share the
drive I guess because you can screwup hidden system files by setting
inappropriate permissions at a root level. But what about nonsystem
partitions/drives such as a physical disk used for data only? These also
show up as eg D$ and must be shared.

I always set permissions on a file basis and allow shares to be everyone
(cause they are all logged on users).

Okay and thank you again
Sam

Because you have IIS installed it adds some of it's own permissions.

..

 

[David Candy]

Because C$ is already used you merely have to call it something other than C to share a drive. It's the default name of C for the share it doesn't like (someone programmed the default name of C into that dialog despite the fact it will nearly always be wrong on NT based systems). Call it CDrive.

Share permissions are irrelevent to a local machine 99% of the time (some functions use network calls to access files for some reason, probably laziness).

You set share permissions that apply to who can use this entry point. You set file or folder permissions to control who can access the files or folders.

Imagine a hotel. You get a key for the front door (share permissions) and a key to your room (file and folder permissions). You can't configure the front door key to open a room.

 

[Sam samuels]

Hi Kelly thanks to your reply......

Sam,

You are varying here.... and I have no idea what you are asking, but
with this:

Yes I apologised for wandering a bit off topic :-(.
I have a separate physical disk, D drive for data which I do not wish to
share with anyone. I right clicked it in "my computer", chose "do not
share" under the "share Tab" but XP insists that it must be shared and that
you cannot set permissions at this level. I noticed however that it appears
that the default behaviour of XP is to set all folders contained within any
drive to "not share on the network" and to "not share on the Web". Assuming
this to be the case I would then only have to worry about setting or
restricting access for the local users. I simply asked David Candy is it
just then a matter of going into the "Security tab" of the main folders
(directories) contained *within the drive* to set permissions for local
users\groups and allowing the parent directory to dictate permissions to the
child directories is so desired?

Disable Recent Shares in Network Places

This restriction stops remote shared folders from being added to
Network Places whenever you open a document in the shared folder.
Per User or Per System

<snip>

If I am following you here, this is a way to keep shared files restricted to
the local machine rather than across the network. I don't actually have a
problem with the files in the shared folder being accessed on the network
but thank you anyway.
Sam

 

[Sam samuels]

Thanks mate that makes sense
Cheers
Sam

Because C$ is already used you merely have to call it something other
than C to share a drive. It's the default name of C for the share it
doesn't like (someone programmed the default name of C into that
dialog despite the fact it will nearly always be wrong on NT based
systems). Call it CDrive.

Share permissions are irrelevent to a local machine 99% of the time
(some functions use network calls to access files for some reason,
probably laziness).

You set share permissions that apply to who can use this entry point.
You set file or folder permissions to control who can access the
files or folders.

Imagine a hotel. You get a key for the front door (share permissions)
and a key to your room (file and folder permissions). You can't
configure the front door key to open a room.