I recently discovered a very strange thing. I am running HP SIM (System Insight Manager) on one box, which tracks several data from systems and PCs on the network. For contact to Windows systems a WMI-Mapper by the Opengroup running on a single PC is used to convert WMI information to WBEM information, which are distributed via an IIS instance running as DefaultAppPool. Before upgrading to SP1 only the PC running the mapper had a DefaultAppPool user-profile. Now since the upgrade to SP1 the DefaultAppPool virtual user account has been added to the remote PCs and even a user profile for this user was created. But what struck me really, is, that this user was now able to add himself to several user rights settings on the local security policy of the remote PC. I have the impression, that this could be a major security hole. The WMI-Mapper itself is not a security problem for me, as it just does, what it shall do - but as the DefaultAppPool virtual user account is ubiqituos on all Windows machines it should not be able to change security settings at all. Wolfgang

Hi, Based on my understanding, you must setup a domain user for the scan tools or monitor tools, then they will use this account to scan the remote computers to collect the information. The almost these tools will create the profile on the local computer. But I do not know what is meaning of the virtual user account? please clarify and provide the detailed information. Meantime, I assume this tool should use a domain account which have enough rights to scan the remote computers so that the account can modify the user rights. Because this is an HP’s tool and I do not know what kind of method or behavior it used, so I suggest that it is better to contact the HP support for assistance.Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

Juke Chou wrote: Hi, Based on my understanding, you must setup a domain user for the scan tools or monitor tools, then they will use this account to scan the remote computers to collect the information. The almost these tools will create the profile on the local computer.  But I do not know what is meaning of the virtual user account? please clarify and provide the detailed information. Meantime, I assume this tool should use a domain account which have enough rights to scan the remote computers so that the account can modify the user rights.  Because this is an HPs tool and I do not know what kind of method or behavior it used, so I suggest that it is better to contact the HP support for assistance. There is no problem in the function of the tools. But what I find strange - or a security hole - is the fact, that this virtual user (the concept and naming are a Microsoft thing), which is found on every MS IIS installation is able to access remote machines and change local security settings on the remote machine if you are running Win7 SP1. This is not the fact with Win7 without SP1 nor with WinXP nor W2K. Fortunately this user is unable to change settings, which are defined in domain group policies, but maybe only due to the fact, that we don't have a W2008SP1 server. Wolfgang

Hi, I am not very familiar with this HP's tool. But based on my understanding, the user account which can change the remote security settings must have the privilege. So I still suggest to contact the HP support to find out the behavior of this tool. this can let you know more detail and why the profile to be created. Regarding the IIS, you may try to post the thread at http://forums.iis.net/. Thanks.Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.