Re: Cannot view SSI on IIS

From: Karl Levinson [x y] MVP (levinson_k@excite.com)
Date: 10/24/02


From: "Karl Levinson [x y] MVP" <levinson_k@excite.com>
Date: Thu, 24 Oct 2002 10:19:11 -0400


"Graham W. Boyes" <me@REMOVETHIS.toao.net> wrote in message
news:DJSt9.61765$ER5.3893852@news2.telusplanet.net...
> We have a Windows 2000 Server running IIS. We cannot seem to view any
files
> that use SSI - when we try it gives an authentication box asking for a
> username and password. If we enter an administrator's password, it works,
but
> there should be no need for this. Any other file or script in any
directory
> is fine.
>
> If we cancel the authentication box we get an error that is "Error 403.1
> Access Denied by ACL on Resource".

Check the windows security event log on the server right after you get that
error message to find out what file is being denied access to which file and
why. If they are empty, enable auditing on the server and then enable file
access failure auditing on all the files and folders in the NTFS file
permissions on the web content folders and the Windows and Program Files
folders. Really, for a web server I might also recommend enabling it on all
folders on all drives, for security reasons.

More information on enabling auditing and minimum NTFS file permissions
required is below:

===================

Note that to enable logging of access to files or registry settings, you
must both enable logging in the overall computer policy AND also add
auditing settings on individual folders or registry keys in the NTFS
security properties in Windows Explorer or the REGEDT32 registry editor.
[Using REGEDIT will not work.] To log file access, the files must be on an
NTFS-formatted partition.

Note also that to enable logging of security events on a Windows domain, you
must change the auditing policy on all domain controllers. Changing the
auditing policy on the computers in the domain enables logging of failed
logins to the computers using local accounts and would not necessarily log
attempts to log into the domain.

Consider changing the Windows event log settings to be appropriate for your
environment. Consider increasing the maximum log size to retain more
information. Be careful not to log too much, or you might find that your
logs contain only a few minutes or hours worth of data. Finally, check the
logs to be sure logs are really being captured.

For more information on enabling and configuring auditing, see the articles
below:

http://nsa1.www.conxion.com/win2k/download.htm a.k.a. http://www.nsa.gov
[look for the NSA Security Recommendation Guides for Windows 2000 and also
Group Policy]
http://www.microsoft.com/technet/prodtechnol/windows2000serv/deploy/confeat/
13w2kadc.asp
http://support.microsoft.com/default.aspx?scid=kb;en-us;Q310399 - XP
http://support.microsoft.com/default.aspx?scid=kb;en-us;Q300549 - 2000
http://support.microsoft.com/default.aspx?scid=kb;en-us;Q248260 - 2000
http://support.microsoft.com/default.aspx?scid=kb;en-us;Q301640 - 2000, file
access settings
http://support.microsoft.com/default.aspx?scid=kb;en-us;Q300958 - 2000,
monitoring for unauthorized user access
http://support.microsoft.com/default.aspx?scid=kb;en-us;Q157238 - NT
http://www.labmice.net/troubleshooting/EventLog.htm

[Thanks to Thomas Deml and others]

===============

More information is available in the following articles:

How to set secure NTFS Permissions on IIS directories and log files -
http://support.microsoft.com/default.aspx?scid=kb;en-us;Q310361

Minimum NTFS file permissions required for IIS:
http://support.microsoft.com/default.aspx?scid=kb;en-us;Q187506

How to restore the default NTFS permissions:
http://support.microsoft.com/default.aspx?scid=kb;en-us;Q271071 [recommended
first]
http://support.microsoft.com/default.aspx?scid=kb;en-us;Q237399 [recommended
second]

If you are still having problems, you may need to restore your local Group
Policy to the way it was when Windows was first installed. To do this, try
following the instructions in both of the articles below, in the order
below. Note that you may have to reinstall some software and/or may have
additional problems after running the procedures below:

How to apply the default Group Policy templates:
http://support.microsoft.com/default.aspx?scid=kb;en-us;Q313205 [recommended
first]
http://support.microsoft.com/default.aspx?scid=kb;en-us;Q266118 [recommended
second]

Note that when executing web page scripts, IIS may be using the
IWAM_computername account instead of the IUSR_computername account. If so,
there may be a problem with insufficient permissions or incorrect password
on the IWAM account, especially if you assigned permissions to the IUSR
account instead of the IWAM account.

Use the IIS MMC to look at the "Application Isolation" properties of the
folder containing the troubled script files. IIS runs application scripts
using the IWAM account if the "Application Isolation" setting for the script
or the folder containing the script is set to "Medium" or "High." For more
information on the IWAM account, see the section in this FAQ entitled "I'm
having a problem with the IUSR_computername or IWAM_computername account on
my computer or IIS web server, or the account keeps getting locked out."

No matter what, you should also consider enabling security auditing on the
computer and then enable NTFS file access failure auditing on the files in
question for the groups Everyone and Guests. This should allow you use the
Windows Security Event Log to see which login ID is unable to access which
files as well as why.



Relevant Pages

  • 401 if AppPool is not Network Service
    ... Windows 2003 Servers, IIS 6.0. ... Ping and PingAuth. ... account, in my test), then, even if I do not access any other resources ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • Re: IIS and ASP.NET authentication
    ... IIS uses either its built in account or the account which is set in console ... That means account still exists in Windows. ... That means it is doing authentication. ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • Re: Digest Authentication
    ... Seems like either IIS is using the wrong user account -or- IIS doesn't have ... you do not need Script Source or Write permissions unless you ... And basic authen..and integreted windows ...
    (microsoft.public.inetserver.iis)
  • Re: Login failed for user (null). Reason: Not associated with a trusted SQL
    ... the user that IIS is logging on as, ... if you do not want the user's Windows credentials to flow back to SQL ... a domain account, and grant that domain account sufficient privileges in SQL ... >> Windows Authentication, but I don't know whether you are using ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • Re: Vulnerability in IBM Windows XP: default hidden Administrator account allows local Administrator
    ... This is common in most Pre-Installed Windows System. ... > Administrator account allows local Administrator ... IBM Systems with preinstalled Microsoft ...
    (Bugtraq)