IIS 5 and Coldfusion MX - security issue with cfm pages

From: Todd (bacile99@yahoo.com)
Date: 01/06/03


From: bacile99@yahoo.com (Todd)
Date: 5 Jan 2003 19:56:11 -0800

I noticed a problem a couple of weeks ago and can't seem to find an
answer to. I am running Coldfusion MX with IIS 5 / Windows 2000. I
have a default site, plus a few other virtual sites. I have specifeid
for pages existing in a secure area that Windows authentication be
used. To take things a step further, I also have specified in IIS
that certain restricted areas on my site only be accessed from a
specific IP range. This works at the directory level fine. Example:
www.mysite.com/secured/ will prompt for a password login. But if I
type an exact URL path to a CFM page within a secured area, then IIS
security is ignored and the page gets served up. Example:
www.mysite.com/secured/page.cfm. It ignores the Windows authentication
rule and the IP restriction rule. CFM pages seem to bypass IIS for
these security measures. Any ideas???

I have read through many of the online forums for similar issues at
Macromedia and Google groups. I have tried everything I have seen and
can't resolve the issue 100%. If I get the pages to prompt for
security login, then after a correct login the page displays an HTTP
500 internal server error. If I get the HTTP 500 error to go away,
then all IIS security stops - no more login prompts. It seems I can't
have my cake and eat it too!

My troubleshooting: I have adjusted the application settings from
medium to low. I have removed and then re-added the ISAPI filters. I
have stopped and re-started one or several services - I also tried
this in a specific order as one poster suggested, but still no luck.
I have rebooted the server a few times with no luck. I have tried a
few other things too but my mind is blank right now so I can't list
the rest. If anyone has any suggestions I would be willing to listen.
 Hope to hear from you soon, thanks for the help.



Relevant Pages

  • RE: New User: IIS Missing
    ... | Content-Class: urn:content-classes:message ... | Subject: New User: IIS Missing ... | My pre-loaded Windows 2000 does not have it and I need it ... Please subscribe to the FREE Microsoft® Security Notification Service on ...
    (microsoft.public.win2000.new_user)
  • Re: NEED HELP WITH XP IIS SECURITY
    ... >could have access to certain files in IIS and who couldn't by right clicking ... >the file in Windows Explorer go to properties and then the security tab. ... >folder for security reasons and then write script to access that folder. ...
    (microsoft.public.inetserver.iis)
  • Re: NEED HELP WITH XP IIS SECURITY
    ... >could have access to certain files in IIS and who couldn't by right clicking ... >the file in Windows Explorer go to properties and then the security tab. ... >folder for security reasons and then write script to access that folder. ...
    (microsoft.public.windowsxp.security_admin)
  • Re: been hit by hacker, servudaemon installed
    ... security patching on iis 4.0 ... security fixes into the new version. ... >install all service packs and patches from Microsoft, ... >>>Windows, Apache, you name it. ...
    (microsoft.public.inetserver.iis.security)
  • Re: Creating secure web page with login for specific Windows users ver
    ... > We have created a management web page that requires a login to get into ... account on the Windows 2K server can login to the site. ... Since IIS usually manages the access ... Configure IIS 5.0 Web Site Authentication in Windows 2000 ...
    (microsoft.public.inetserver.iis)