IIS Server Security, IIS User Right

microsoft.public.inetserver.iis.security - About IIS Web Server Security Issues


IIS Server Security >> IIS User Right

by RmVsaXg » Tue, 07 Feb 2006 23:38:32 GMT

On the IIS (Windows Server 2003) I have a website wich allows anonymous
access and basic authenification. For one directory on this website I
disabled the anonymous access and in the directory security I refuse the
right to the IIS guest account. Now, like I wanted to be, a user has to sign
in, before reading the content of this directory. But every user with an
account in the domain can log in although only administrators, interactive,
network, network service has rights to access read the directory. What did I
wrong? I only want to give specific users the right to read this
web-directory. Many thanks for your help!

Top

IIS Server Security >> IIS User Right

by Tom Kaminski [MVP] » Wed, 08 Feb 2006 00:03:15 GMT






What other NTFS permissions are assigned to the folder?

--
Tom Kaminski IIS MVP
http://www.microsoft.com/windowsserver2003/community/centers/iis/
http://mvp.support.microsoft.com/
http://www.iistoolshed.com/ - tools , scripts, and utilities for running IIS




Top

IIS Server Security >> IIS User Right

by Miha Pihler [MVP] » Wed, 08 Feb 2006 00:03:49 GMT

Hi,

IIS will always honor the NTFS permissions. If you set permissions right
only users that you set up will have access to that folder (I guess your
users still inherit read permissions from somewhere)...

My suggestion would be to create new group and allow this group read access
(or some other permission if this group of users need it). Now remove all
other groups and users permissions from this folder (except maybe
Administrators if you want to allow them access to the files).

--
Mike
Microsoft MVP - Windows Security






Top

IIS User Right

by RmVsaXg » Wed, 08 Feb 2006 00:26:32 GMT

NTFS Permissions are set to administrators, IIS_WPG, interactive, Network,
Network Service AND System with full access and the IUSR_IIS1 all denied.




Top

IIS User Right

by RmVsaXg » Wed, 08 Feb 2006 00:28:26 GMT

The only NTFS Permissions are set to administrators, IIS_WPG, interactive,
Network, Network Service AND System with full access and the IUSR_IIS1 all
denied.




Top

IIS User Right

by Miha Pihler [MVP] » Wed, 08 Feb 2006 00:31:47 GMT

Hi,

As suggested. Remove everything but Administrators and your new group that
will contain users that are allowed to have access to this site.

--
Mike
Microsoft MVP - Windows Security







Top

IIS User Right

by v-yren » Wed, 08 Feb 2006 11:14:08 GMT

Hi,

Thanks for posting!

For the current issue, as Tom and Mike mentioned, the permission for the
IIS is depended on the NTFS permission settings for the current folder. I
suggest you remove the IIS_WPG and Network Service account and add the user
account which is allowed to access the current folder. So, the other users
can not access the current folder since they don't have permission.

Thanks for your understanding!

Regards,

Yuan Ren [MSFT]
Microsoft Online Support


Top

IIS User Right

by Tom Kaminski [MVP] » Thu, 09 Feb 2006 21:45:55 GMT





Additionally, I prefer to not even list IUSR when I want to deny anonymous
access.



Top
Similar Threads

1. IIS User Rights Problem

2. Granting IIS Rights to Power Users? 

Is there a way to enable "Power Users" in Windows XP to be able to view the 
default Web site properties in IIS? I can login, as "administrator," to my 
Webmaster's IIS console on his PC and view the default Web site properties 
just fine. However, when he logs in as himself, he can open IIS but he can't 
even see the default Web site's properties. Is there a way to enable him to 
view this without making him an administrator on the computer?

3. How to give an AD user rights to Stop and Restart IIS 5.0

4. Windows 2003 server/IIS ASPNET user rights issue

5. Log on Locally user right for IIS Lockdown servers

6. The minimum right to be granted at user to manage IIS 

Hello,

I've a question about managing IIS in Windows 2003 server. I have create a
user profile to let log on locally at the server with a very low rights.
Actuallly the user belongs to Backup Operators group in order to fully
manage the backup; I also have delegated him to manage some OU in Active
Directory and view Exchange server (Exchange View Only Administrator).
Now the problem: he needs to manage IIS through the IIS Manager, but
launching the manager he got Access is denied when connecting the local
server.

I'm searching the minimum rights to be assigned him

Thanks

Sergio

7. Granting IIS rights to regular user

8. Log on Locally user right for IIS Lockdown servers