IIS Server Security, Problems with Administrator users

microsoft.public.inetserver.iis.security - About IIS Web Server Security Issues


IIS Server Security >> Problems with Administrator users

by Rane Bowen » Thu, 11 Dec 2003 04:51:11 GMT

Hi.

I hope that I am posting to the correct group and that someone can provide
me with some clues with a particular problem we are having.

First some background:
Our document management system uses iis with a custom isapi filter. The
user (after authenticating via ntlm) is presented with a list of documents
that they have security access to. The access to documents is defined by
the actual access a user has to the document with it's file system security
(on the server).
If a user wishes to access the metadata of a document via the web browser,
the isapi filter reads the security from the document within the file
system, and determines whether the user has access to the metadata
properties of the document. If the user has access to the document, the
user should have access to it's properties.

The problem we are having is restricted to an active directory environment.
If a user is a member of the 'domain admins' or 'administrators' groups, and
a document has an acl that does not contain the 'everyone' trustee, but does
contain another group that the user is a member of, strange things start to
happen.
Users will be able to fetch the 'object' that contains the document
properties, but are denied access to the properties themselves (which should
never happen). This can be fixed by granting the 'domain admins' group full
control over the document, but does not really solve the problem.

I hope this explanation of our problem makes sence, and that someone can at
least poke me in the right direction.

Cheers!



Top

IIS Server Security >> RE: Problems with Administrator users

by adavis » Fri, 12 Dec 2003 01:31:10 GMT


Rane,

This sounds like a permissions problem. Tried using Regmon or Filemon to
determine where the permissions problem is.
These tools can be downloaded here, http://www.sysinternals.com/

This posting is provided "AS IS" with no warranties, and confers no rights.

Thanks!
~Andrew Davis
Microsoft PSS Security

--------------------
| From: "Rane Bowen" < XXXX@XXXXX.COM >
| Newsgroups: microsoft.public.inetserver.iis.security
| Subject: Problems with Administrator users
| Date: Thu, 11 Dec 2003 09:51:11 +1300
| Organization: Ihug Limited
| Lines: 33
| Message-ID: <br80uv$lp3$ XXXX@XXXXX.COM >
| NNTP-Posting-Host: 203-109-146-43.ihug.net
| X-Trace: lust.ihug.co.nz 1071089439 22307 203.109.146.43 (10 Dec 2003
20:50:39 GMT)
| X-Complaints-To: XXXX@XXXXX.COM
| NNTP-Posting-Date: Wed, 10 Dec 2003 20:50:39 +0000 (UTC)
| X-Priority: 3
| X-MSMail-Priority: Normal
| X-Newsreader: Microsoft Outlook Express 6.00.2600.0000
| X-MIMEOLE: Produced By Microsoft MimeOLE V6.00.2600.0000
| Path:
cpmsftngxa07.phx.gbl!cpmsftngxa06.phx.gbl!TK2MSFTNGP08.phx.gbl!newsfeed00.su
l.t-online.de!t-online.de!nntp-relay.ihug.net!lust.ihug.co.nz!ihug.co.nz!not
-for-mail
| Xref: cpmsftngxa07.phx.gbl microsoft.public.inetserver.iis.security:7763
| X-Tomcat-NG: microsoft.public.inetserver.iis.security
|
| Hi.
|
| I hope that I am posting to the correct group and that someone can provide
| me with some clues with a particular problem we are having.
|
| First some background:
| Our document management system uses iis with a custom isapi filter. The
| user (after authenticating via ntlm) is presented with a list of documents
| that they have security access to. The access to documents is defined by
| the actual access a user has to the document with it's file system
security
| (on the server).
| If a user wishes to access the metadata of a document via the web browser,
| the isapi filter reads the security from the document within the file
| system, and determines whether the user has access to the metadata
| properties of the document. If the user has access to the document, the
| user should have access to it's properties.
|
| The problem we are having is restricted to an active directory
environment.
| If a user is a member of the 'domain admins' or 'administrators' groups,
and
| a document has an acl that does not contain the 'everyone' trustee, but
does
| contain another group that the user is a member of, strange things start
to
| happen.
| Users will be able to fetch the 'object' that contains the document
| properties, but are denied access to the properties themselves (which
should
| never happen). This can be fixed by granting the 'domain admins' group
full
| control over the document, but does not really solve the problem.
|
| I hope this explanation of our problem makes sence, and that someone can
at
| least poke me in the right direction.
|
| Cheers!
|
|
|



Top

IIS Server Security >> Problems with Administrator users

by Rane Bowen » Wed, 17 Dec 2003 11:24:41 GMT

hanks for that - It looks like we were getting denied on the 'NT
AUTHORITY\NETWORK SERVICE' group(?).
I added this to the acl of a document where I was getting the error, and it
appeared to work.
I could not find a resonable explanation of what this group actually is.

Could anyone point me at some good resources?

Cheers.

Rane.

""Andrew Davis [MS]"" < XXXX@XXXXX.COM > wrote in message
news: XXXX@XXXXX.COM ...
rights.
cpmsftngxa07.phx.gbl!cpmsftngxa06.phx.gbl!TK2MSFTNGP08.phx.gbl!newsfeed00.su
l.t-online.de!t-online.de!nntp-relay.ihug.net!lust.ihug.co.nz!ihug.co.nz!not
provide
documents
by
browser,



Top
Similar Threads

1. Administrator and isolated users

2. ftp access with user account (and not Administrator ) 

hello, 
i tried for hours to get ftp access to a window 2003 server machine
with the iis. i created an user account 'username' and a virtual
directory in the iis, with no anonymous access allowed. so far so
good. in windows explorer i connected to that server and the login
window opened. so when i put in 'Administrator' which is local and his
password, everything is ok.
it was also possible to enter with a domain account from the domain
(e.g. domain.dom\userxy and the password) to which this server is
connected. good. but when i tried to pass with 'username' and its
password it failed.
the solution was: i had to put Computername\username and the password,
then it works. the local Administrator account seems not to need that
'Computername\' before the 'Administrator'. why not?
greetings franc

3. How to Allow non administrator user to view IIS configuration

4. Administrator vs power user question ! 

Hi There

Just a little question for u skilled people !!

I have an interesting challenge with userrights for IIS.

The thing is that if I run an ASP page on the English version on a Windows
2K sp3/4 there seems to be no problem for either Administrator or Power
User. If I however try the exact same on a German Win 2K sp3/4, Only the
Administrator has access, the "HauptBenutzer"/Power User does not !!!

If I try the \WINNT\Help\iisHelp\iis\misc\default.asp it works on both pc's
and for both usertypes.

Any hints or help are greatly appreciated

TIA.

Allan Bentsen

5. IIS, CGI environment, Mirroing local administrator to domain Administrator on Domain Controller - IIS Server Security

6. Anonymous user account has to be in administrators group

7. IIS problem after administrator is disabled

8. Sharepoint Administrator Problem 

I have a 2003 server with FPSE 2002.  The server currently has a number of 
web sites, differentiated by host headers.  The problem I have is with the 
most recently created web site.  I created the site and was able to extend it 
using SPA, but I can't add an author.  The "Manage Users" page pops up no 
problem, but when I enter the Domain/Username, specify the role and click 
submit, the page just sits there doing nothing.  This holds for every other 
action I try, but just on this one site.  All the other work just fine.  I've 
removed and re-added extensions, still no luck.  I've even removed 
extensions, removed the website, deleted its home directory and completely 
recreated from the ground up.  Same problem and again, only on the one site.  
Has anyone got any ideas how to resolve this?

Mike Mize
CSU, Fresno