IIS Server Security, restricting access in IIS6 with NTFS

microsoft.public.inetserver.iis.security - About IIS Web Server Security Issues


IIS Server Security >> restricting access in IIS6 with NTFS

by R0NG » Mon, 22 Aug 2005 21:50:17 GMT

Hi,

I am trying to restrict a simple html web page (no written security around
it) to a subset of the domain users. In IIS, I have de-selected the Anonymous
User and selected Win Integrated.

For folder permissions where the html page is located, I have an Admin group
and a User group. The User group contains NT Authority/Authenticated Users
(S-1-5-11), NT Authority/Interactive(S-1-5-4) and a list of users that will
be allowed access.

When I try to have someone not in the list of specific users, they can bring
up the page. Is this b/c of the NT Authority/Authenticated Users (S-1-5-11),
NT Authority/Interactive(S-1-5-4)? Does this allow all users on the domain to
access the page? And if so, can I remove them?

Thanks,
GCF

Top

IIS Server Security >> restricting access in IIS6 with NTFS

by David Wang [Msft] » Tue, 23 Aug 2005 04:11:52 GMT


This really isn't an IIS question. It's a basic Windows ACL question.

If you want to restrict access to a resource to a certain subset, then you
should only have the ACLs for that subset on the resource.

In your case, it is "Authenticated Users" that is allowing additional users
access. Interactive relates to how a user logged onto the server; IIS does
not use interactive logon.

However, if a user that is NOT in that subset can log onto the server
machine itself, they will have access to the content. This is why physical
security is also important for a server...

--
//David
IIS
http://blogs.msdn.com/David.Wang
This posting is provided "AS IS" with no warranties, and confers no rights.
//


Hi,

I am trying to restrict a simple html web page (no written security around
it) to a subset of the domain users. In IIS, I have de-selected the
Anonymous
User and selected Win Integrated.

For folder permissions where the html page is located, I have an Admin group
and a User group. The User group contains NT Authority/Authenticated Users
(S-1-5-11), NT Authority/Interactive(S-1-5-4) and a list of users that will
be allowed access.

When I try to have someone not in the list of specific users, they can bring
up the page. Is this b/c of the NT Authority/Authenticated Users (S-1-5-11),
NT Authority/Interactive(S-1-5-4)? Does this allow all users on the domain
to
access the page? And if so, can I remove them?

Thanks,
GCF





Top

IIS Server Security >> restricting access in IIS6 with NTFS

by R0NG » Tue, 23 Aug 2005 09:03:02 GMT

Sorry if I posted in the wrong forum, but you answered my question and we
have solved the problem. Thanks!






Top
Similar Threads

1. iis6/howto: restrict access to downloads based on referer 

Hi there!

  Image a following scenario -- iis6 runing a web page with /downloads 
  directory, where all the bineries offered on files.aspx are available. The   
  question is, how to restrict access to these files so that it wouldn't be 
  possible to download anything without having a 'referer' (browser flag) set 
  to a local domain. That's to restrict linking files from other web pages
  and stealing bandwith. I've been given a set of external tools, but
  none of them for iis6. Is it possible to do that with just iis alone?

-- Tomasz Bryja [ redakcja infojama.pl *  XXXX@XXXXX.COM  * icq://26490836 ]

2. Need to restrict access to an EXE in IIS6 - IIS Server Security

3. Security Question on setting NTFS permission for IIS6.0 

I have some question about NTFS permission, I'm using W2k3 Standard Edition
and PHP 4.3.4

1. If I do not add "IUSR_XXXX" user into NTFS permission, but I have
"NETWORK" group which have "Read" permission instead, I can access to my
website. So, is "IUSR_XXX" account is a member of "NETWORK" group?

2. If I add "NETWORK" group which have "Read" permission into NTFS
permission rather than exactly "IUSR_XXXX" account, are there any security
risk?

3. Do I need to add "INTERACTIVE" group which have only "Read" permission?
Is this group necessary?

4. Do I need to have "CREATOR OWNER" and "CREATOR GROUP" which have "Full
Control" permission? Because when I create a new folder for adding new web
site, that folder is automatically have these group on the NTFS permission.

5. If my web site contains asp or aspx files, do I need to add "NETWORK
SERVICE" or "IWAM_XXXX" user into NTFS permission? If not, when or in what
situation I need to add those users into NTFS permission?

Any ideas or suggestions are welcome.
Thank you very much.

4. IIS6 NTFS Required permissions - IIS Server Security

5. NTFS to secure directory in IIS6 not working as expected 

I am attempting to secure a directory off a URL (ex. 
www.domain.com/dir1/members  I have changed the NFTS permissions on the 
member (this is not a virutal) directory to remove my anonmyous user and 
added a user who has local login rights.  When I attempt to access the URL, I 
am prompted for a username/password but no matter what u/p I use (including 
the local admin), I am not able to gain access to the directory.  As soon as 
I add the anonymous back, I can access the directory but obviously I am not 
prompted to enter u/p.  What am I missing?  I've done this multiple times on 
IIS5 and it worked perfectly.

Thanks in advance...

6. Restricted files on already restrict FTP site

7. MS ACCESS; ASP ;NTFS file system 

I have developed a simple ASP application that accepts 
information from a user, updates an ACCESS 2000 table and 
displays the information.  I am running Win XP with an 
NTFS file system.  I am only able to read the data table 
and not update it when the database is accessed from my 
hard drive.  However when I copied the database to my 
A:drive which uses the FAT file format, the application 
works perfectly.  I am looking for a way to make the 
application run on my c: drive.  What might be the 
problem and what might be the solution?  Thanks...

8. FTP enabled even with NTFS & ACLs preventing access !!!???