HOWTO: Rename the Computer running IIS6
Question:
Hi ,
I have two web servers. One web server(w2k3Ent) and IIS 6.0 in a work group and One identical Web Server in the Domain. I want to now rename the Server names of the both, to comply some policy. Will the IIS functionality be affected because the IUSR accounts still be left with old computer names, can I go ahead and rename them as well.
Any Microsoft links and help is appreciated
Thanks,
Answer:
Well, if you are merely interested in Microsoft links on the question, then you should just search for them. I punched in "Rename IIS Computer Name site:support.microsoft.com" in my favorite search engine, and it came up with tons of hits. I trust you know how to do this yourself and sort through the noise - it is a necessary skill in this day and age.
By design, Microsoft links for support/troubleshooting assume the user knows nothing, so they optimize towards keyword/pattern matching which results in some resolution instruction steps that tell you HOW to resolve that pattern with little explanation of WHY. If you pattern match incorrectly, the resolution may not apply and may/not harm you. If you do not follow the instructions correctly, the resolution may not apply and may/not harm you.
What I am going to talk about are the details behind the scenes of what is going on because I trust that when someone understands the dependencies and what is actually going on, they can figure out how to do the right things themselves or even correctly react to unexpected things since everyone's system is unique.
Give a man a fish, and you feed him that night. Teach a man to fish, and he feeds himself forever.
About the Computer Rename...
IIS itself does not care about the name of the user accounts used for purposes like:
- Anonymous authentication - no, it does NOT mean that everyone automatically has access. See this blog entry for details.
- UNC Vdir Access
- Application Pool Identity
- COM+ Application Identity
Therefore, IIS definitely functions after renaming the computer. The question is whether all OTHER dependent applications running on or related to IIS are kosher with renaming the computer.
For examples of the hassles, see KB 234142 on renaming a NT4 server running IIS4 (I know, it is not applicable here, but you wanted details, right?)
Or, you may be running bad/broken applications which ASSUME that the username of the IIS anonymous user is based on the machine name (i.e. they assume the anonymous user's name is IUSR_<NewMachineName> instead of reading the value from IIS configuration). These applications will obviously be broken after the computer rename, and you will have to determine how to address that - either fix the application or change the anonymous user's name to match the broken assumption.
Now, if you DECIDE for whatever reason to rename the user accounts used by IIS after renaming the computer (remember, IIS does not need you to do anything), you need to be aware of how Windows user accounts work that can affect IIS behavior:
- If you create a NEW user account for use in IIS (as the anonymous user, for example), its SID will be DIFFERENT than the original anonymous user.
- Since files are ACL'd by SID and NOT by username, you will have to re-ACL files/directories EVERYWHERE to re-secure against anonymous access.
- You will also have to change IIS configuration to use the new user name since IIS stores and uses the username and NOT the SID for its user accounts.
- If you RENAME the existing user account in Windows to a new name, the SID stays the same, so you do not need to re-ACL anything... but you still need to change IIS configuration to use the new user name.
Some Helpful Scripts
Now, I do not have a script you can run as Administratior which re-ACLs files one username had access to another username... and I am not going to tackle that problem here because that is way outside the scope of IIS. Find your favorite batch/scripting support group for a solution to this one.
However, I do have a script named "RenameIISUser.bat" to do the IIS configuration changes from old name to new name. See the end of this blog entry.
For safety purposes, the script only displays what it will do. You can inspect the output to see if it is OK and then copy/paste the commands yourself, or you can remove SET DEBUG=ECHO to have the script take action.
I also have a script called SyncIISUser.bat that allows you sync user account passwords in IIS configuration assuming you know the username.
So, if you happen to rename the user account AND change its password, you can first run the script at the end of this blog entry to change the username in IIS configuration, and then run the other script to associate the new password with that username in IIS configuration.
For example, suppose you renamed IUSR_MachineName used for Anonymous Authentication to "New User Name" and also changed its password to "New Password". You would run the following commands, in order, to fix your IIS configuration:
RenameIISUser.bat Anonymous "IUSR_%COMPUTERNAME%" "New User Name"
SyncIISUser.bat Anonymous "New User Name" "New Password"
Enjoy.
//David
@IF ?%_ECHO%?==?? ECHO OFF
SETLOCAL
SET CMD_ADSUTIL=CSCRIPT %SYSTEMDRIVE%\Inetpub\AdminScripts\adsutil.vbs
SET DEBUG=ECHO
IF ?%1? EQU ?? GOTO :Help
IF ?%2? EQU ?? GOTO :Help
IF /I ?%1? EQU ?Anonymous? SET PROPERTY_TO_FIND=AnonymousUserName
IF /I ?%1? EQU ?WAM? SET PROPERTY_TO_FIND=WAMUserName
IF /I ?%1? EQU ?UNC? SET PROPERTY_TO_FIND=UNCUserName
SET USERNAME_TO_MATCH=%2
SET NEW_PROPERTY_VALUE=%3
FOR /F "usebackq skip=1 tokens=*" %%I IN ( `%CMD_ADSUTIL% FIND %PROPERTY_TO_FIND%` ) DO (
FOR /F "usebackq tokens=3,* delims= " %%J IN ( `%CMD_ADSUTIL% GET "%%I/%PROPERTY_TO_FIND%"` ) DO (
IF /I ?%USERNAME_TO_MATCH%? EQU ?%%K? (
%DEBUG% %CMD_ADSUTIL% SET "%%I/%PROPERTY_TO_FIND%" %NEW_PROPERTY_VALUE%
)
)
)
ENDLOCAL
GOTO :EOF
REM
REM Display syntax
REM
:Help
ECHO %~n0 {Anonymous^|WAM^|UNC} "UserName" "New UserName"
ECHO.
ECHO Find all [Anonymous^|WAM^|UNC] user accounts matching "UserName" in
ECHO IIS configuration and change it to "New UserName"
ECHO.
Comments
Anonymous
May 01, 2006
Very good insight. Helps explain some issues I saw a long time ago when faced with this.
It does raise one question - (rhetorical?) Why does IIS store the username and not the SID? Or more generally, wouldn't it be better if all Microsoft apps were consistent and either used the SID or the username?
If there are reasons to not be consistent, then wouldn't it be better if the app itself had a "rename" function that would automatically sync everything back-up. the app itself should be the best source of knowledge on how a rename affects things so ideally the app itself should either self-configure reasonably to a rename of provide the facility to do so.
I'll admit it -- our "security" work is 90% to 95% figuring out how to get work when they should work or don't because of these kinds of complexity. Only about 5% of our work administering our servers is actually planning out security or making adjustments to tighten security, etc.
Don't know if we are typical, but I can understand why many admins are tempted to simply assign admin rights to everything.
Although security is fine-grained and multi-featured, there is so much complexity -- especially when looking at the system level across multiple apps (web, email, sharepoint, active directory, sql server, code-access-security, gac, etc. etc.) that it often seems that real security is lax because it is simply too complex to keep sorted out properly.
Sorry for the OT rambling but IIS is at the center of this with IIS security versus NTFS/ACL, anon accounts/web authentication versus NTLM/AD authentication, etc. etc. etc.Anonymous
May 02, 2006
Robert - Well, the issue with User Identity is easy - which would you rather login with?
1. Robert
2. S-1-5-21-123456789-1234567890-123456789-1234
Most humans would say #1, even though computers need #2 to work with each other (i.e. there are many people called "Robert" in the world. Robert in my domain is most likely not the same "Robert" in your domain)
So, systems like IIS and even the FileSystem allows people to give input as Username. However, for unambiguity, it MUST use SID.
The issue of renaming User Principles in an Identification System is a classic computer systems design issue. As soon as the system allows distributed ACL lists tagged to each object, propagation of change becomes a nightmare no matter how you look at it.
Having Apps do the renaming is not really a solution -- the fundamental design affects all applications, so you telling me to have individual applications do their fixup is not a solution. It is barely a band-aid.
As for the issue surrounding complexity - while I agree that security is hard with all this complexity, I believe that users cause this difficulty by having a wide variety of requirements, none using the same system, yet demanding that they all work seamlessly. Variety and conflicting requirements are bound to make security a headache, and we can't help that. You can't make up your mind to make your life easier. ;-)
From my perspective, IIS is not at the center of any of these "problems" because it is perfectly content to NOT have custom authentication/authorization and just use NTFS ACLs and NT User Tokens.
But believe me, many users want to be able to login to IIS without NT User Tokens and deploy custom authorization scheme independent of Windows or NTFS. How do you plan on dealing with these users?
And here is the funny part:
1. To you, IIS allowing custom authentication/authorization on top of Windows-based mechanisms, along with every system having its own authorization mechanism makes security complex.
2. Meanwhile, users that want to use custom authentication/authorization simply thinks that Windows "complexity" gets in their way of building their own security system.
See the contradictions? And Microsoft has to make BOTH of you guys happy. And Honestly, I think both customer segments are mistaken:
1. If you guys just narrowed down your requirements, we can make a simpler and better system. But you guys all want to be special and have lots of different requirements, get upset at Microsoft for not covering your needs (even using thinly veiled threats of "Monopoly"), and when we give you what you want so that you have rope to hang yourself, you complain, too. I say bah, deal with the bed you make.
2. Users who think that Microsoft authentication/authorization is too complex for their needs and that they can build a "better" authentication/authorization system -- are 99.99% brazenly foolhardy. Who do you think will implement a truly secure system? Someone who thinks the existing system is too complex and that they can come up with something simple, or a group of security experts implementing publicly designed/diagnosed security protocols.
Security is and will always remain hard. We have problems with physical-world security. Software security is no less difficult.
//DavidAnonymous
May 10, 2006
dave,
I did this and for some reason I still get after a re-boot the original IUSR_xxxx OS accounts being re-created.
Any thoughts? you can reach me at paul.thorn@yale.edu
/PaulAnonymous
May 11, 2006
Paul - Can you clarify the exact sequence of steps that you performed?
//DavidAnonymous
June 01, 2006
The comment has been removedAnonymous
June 10, 2006
Phil - thanks. Just fixed the issue.
//DavidAnonymous
November 25, 2008
Last week I was checking ASP.NET Forums as usual and I had answered a thread about renaming Windows ServerAnonymous
November 23, 2011
Why didn't MSFT just use an account called IUSR_LOCAL instead of including the server name. I know it's too late, but maybe next time round. Oops sorry. MSFT has to re-invent the wheel every time instead of improving things incrementally