 |
 | Home | Contact Us | FAQ | Search & Site Map | Link to Us |
 | Sign In | Join | Other 45 Sites in Network |
Windows Server Forum / IIS / IIS Security / August 2006Intranet Security
Here is what I want to do with IIS on a Windows 2003 server. The server is a part of our domain. I have a basic Intranet troubleshooting website setup in IIS. I want to limit access to a specific group of Active Directory users. In other words, AD users 1, 2, 3 can access the intranet website, all other users are denied. How can I accomplish this? I should also note that I am rather new to IIS, so the more detail you can provide, the better. Thanks. Hi, Well this is usually quite simple. Remove Anonymous access on IIS for this website or folder (if you haven't done so yet). Now what you need to do is set up NTFS permissions on the folder where your files are stored that only user 1, 2 and 3 can access (and e.g. administrators). If you remove everyone else (e.g. everyone group, domain users group, .) from permission list, users will get prompted for username and password (is you select basic authentication) before they are granted access to the files. Note: if you select basic authentication in IIS and you don't set up SSL username and password are transferred in clear text from client to server.  SignatureMike Microsoft MVP - Windows Security > Here is what I want to do with IIS on a Windows 2003 server. The server > is a [quoted text clipped - 12 lines] > > Thanks. Thanks for your reply. For some reason, this does not work. I have the website pointing to a network share on another server. The network share only allows users 1, 2, 3. If I login as one of the users who should not have access to this share and try to access the share, I am denied. So I know the permissions are working. However, if I am logged in as a user who should not have access to the site and type in the server's name in IE, I can access the webpage, no problem. I have also tried moving the files to a folder on the IIS server. Same thing happens. I do have anonymous access disabled. For authenticated access, I have tried every combination of access, Windows Integrated, Digest Authentication, and one of two things happen. One, I am prompted for a username and password. But no matter what username and password I enter, I am denied access. Two, I can access the site using any AD user. Any other thoughts? > Here is what I want to do with IIS on a Windows 2003 server. The server is a > part of our domain. [quoted text clipped - 11 lines] > > Thanks. Can you post every object (user or group) that is assigned any permission on the folder _and_ share where the files are. SignatureMike Microsoft MVP - Windows Security > Thanks for your reply. > [quoted text clipped - 46 lines] >> >> Thanks. The share that IIS is redirected to is setup as follows Permissions: Authenticated users have Full, Change, Read Security: Staff Users (group with staff accounts) have Read, Write Domain Admins Full Control But when I login as an AD user account that is not in either one of these groups, I can still access the website. > Thanks for your reply. > [quoted text clipped - 38 lines] > > > > Thanks. Hi, Your users are granted access via "Authenticated Users". Any user that has valid username and password is automatically authenticated user and your current settings give him/her full access. SignatureMike Microsoft MVP - Windows Security > The share that IIS is redirected to is setup as follows > [quoted text clipped - 58 lines] >> > >> > Thanks. Just to clarify: If I try to access the share via Windows when I am logged in under a restricted user, I am denied. But you're saying that because I have permissions setup as Authenticated Users, IIS allows this restricted user to view the website? Before writing the newsgroup, I also tried the following: Add the website files on the local IIS server. Set the permissions to only allow Staff Users and Domain Admins. When I log as a restricted user, I can still access the website. This just doesn't add up- > Hi, > [quoted text clipped - 64 lines] > >> > > >> > Thanks. No it doesn't, but IIS will always honor NTFS permissions. For anything else I just don't have enough information. Remove everything from permissions except those users that need access and e.g. Administrators group. Don't use other groups unless necessary (e.g. don't use Domain Users, Authenticated Users, ...). You can also use Effective Permissions tab on your files in your data folder where you are setting NTFS permissions to figure out what kind of permissions user will have on data. How are share permissions set up? My suggestion would be to first make this work on IIS server (move data to IIS server). Once it works on IIS server start playing with access over shares. SignatureMike Microsoft MVP - Windows Security > Just to clarify: > [quoted text clipped - 90 lines] >> >> > >> >> > Thanks. |
Reply to this Message |
 Sign In
 Join
 My Latest Posts My Monitored Threads My Blog My Photo Gallery My Profile My Homepage Start New Thread Enable EMail Alerts Rate this Thread
|
©2010 Advenet LLC Privacy Policy - Terms of Use
This website includes both content owned or controlled by Advenet as well as content owned or controlled by third parties.