Microsoft's Internet Information Server (IIS) uses a local computer account, IUSR_servername to provide access to the filesystem and other resources for anonymous web users.  We've had some problems getting the permissions correct for this acount.

I'd like to propose the following scheme, based on the recommendations from Microsoft's IIS 6.0 Security Best Practices

Neal from SnC asked me to take a look at some software he's thinking about using for intrusion detection.

It's called "OSSec" and you'll find more about it at http://www.ossec.net/

He's also talking about setting up a syslog server that we can use to collect authentication traps and possibly other information.

http://www.ncsu.edu/it/security/ncsu-ca.html

I've done some changes to the ISO_SHS container in the WolfTech active directory.

First off, I've created a manged group named "WT-ISO-Infrastructure Systems Operations Staff" that contains all of the ISO staff according to GuardDog.  This group should get updated nightly, so as staff changes it will automatically update itself.

The Wolftech managed group tool is at https://www.wolftech.ncsu.edu/wtmg/index.php

Secondly, I've added this group to the "ISO_Users" and "ISO_SHS_Users" group.

The unity.ad domain was set up so that any authenticated user can "add a workstation to the domain"

Adding a workstation to the domain means that a computer account is created (a "service principal" in Kerberos-speak) which allows the domain controllers and workstations to authenticate each other and setup a secure cryptographic channel for private communications. The workstation can then accept policies, including those that set security settings, and allow logins for accounts held in the domain.