Network security configuration and testing often require an answer to the question, "Which account am I logged on as?" Let's take a look at two utilities—Whoami and w3who.dll—that answer that question when you're logged on locally and when you're connected through the Web.
Whoami is available in the Windows XP and Windows 2000 Support Tools. Open a command line—or instruct the user to open a command line—and type
whoami
The command's sample response resembles the following:
BIGFIRM\al
Whoami reports the account name in the Windows NT 4.0 style (i.e., domainname\username), even if you're running Active Directory (AD). Of course, you can determine such account information in other ways. For example, you can simply press Ctrl+Alt+Del to access the Security dialog box. However, a benefit of Whoami is that you can redirect output to a file, making the command useful not only on the computer you're interacting with but also in batch files or script files.
In the past couple of years, I've spent much time securing my Web server. However, whenever I apply the latest patch to further lock down Microsoft IIS, I wonder whether I've just applied a patch that's so secure that my customers can't access my Web site. Every time I restrict the IUSR account, I need to somehow enumerate what the IUSR account can and can't do: Of which groups is the IUSR account a member? What rights does the IUSR account have? Am I actually logged on to the Web site as IUSR?
On a few occasions, I've locked down my Web site too tightly, but I didn't realize I had done so because when I tested my newly secured Web server, I authenticated to the Web server as a domain administrator. Everything worked fine because obviously the domain administrator account had plenty of rights and permissions—but typical IUSR visitors were locked out. What I needed was a version of Whoami for the Web.
At a recent Windows and .NET Magazine LIVE! conference, I mentioned my need to Brett Hill (aka the IIS Answer Man). Brett told me about w3who.dll, which is available in the Microsoft Windows XP Professional Resource Kit, the Microsoft Windows 2000 Server Resource Kit, or for free download from http://www.microsoft.com/windows2000/techinfo/reskit/tools/existing/w3who-o.asp. After you obtain the file, copy it to the directory that contains your Web content.
Try running w3who.dll by simply starting your browser, pointing it to your URL, and adding /w3who.dll. For example, suppose you work for the company www.bigfirm.biz and place w3who.dll in its Web server's home directory. You could then go to http://www.bigfirm.biz/w3who.dll and view a screen that describes current security access.
This method might not work, however. Instead of seeing a page that details your security context, you might see a message from your browser acknowledging an attempted download but wondering where you would like to place the file. The reason for this potential error is that you can run w3who.dll only from a Web site that has Execute permissions set to Scripts and Executables.
If you've never configured IIS permissions, here's what you need to do next. Open Start, Programs, Administrative Tools, Internet Services Manager and navigate to Default Web Site under Internet Information Server. Right-click Default Web Site and choose Properties, then select the Home Directory tab. The Execute Permissions drop-down list near the bottom of the page has three settings: None, Scripts Only, and Scripts and Executables. The w3who.dll file needs the Scripts and Executables permission to run.
I'm not recommending that you change your Web site's home-directory permissions to Scripts and Executables, which is the least secure setting. Instead, create a directory inside your Web home directory (call it \whoami) and place w3who.dll in that directory. Then, inside Internet Services Manager, right-click the \whoami directory and choose Properties. On the Directory tab, you can set the Execute permissions to Scripts and Executables for only the \whoami directory. Using this method, you won't loosen permissions on your Web site's home directory. You can then invoke w3who.dll as http://yoursitename/whoami/w3who.dll without trouble.
