Re: IIS6 - How? Force Anonymous and impersonation
From: Tony Su (tonysu@su-networking.com)
Date: 03/26/03
- Previous message: Troy Hammond: "Read Permission in IIS 5.0"
- In reply to: Wade A. Hilmo [MS]: "Re: IIS6 - How? Force Anonymous and impersonation"
- Next in thread: Wade A. Hilmo [MS]: "Re: IIS6 - How? Force Anonymous and impersonation"
- Reply: Wade A. Hilmo [MS]: "Re: IIS6 - How? Force Anonymous and impersonation"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "Tony Su" <tonysu@su-networking.com> Date: Wed, 26 Mar 2003 14:13:42 -0800
Thank you... resolved my oversight. I had assigned the
User but not the IIS_WPG NTFS permissions.
Out of curiosity, am interested if you know of a method to
deny access to a User who may be logged on interactively
through Windows (not through IIS). I have not read any
recommended method but came up with a "try" to encrypt the
files using a certificate belonging to the impersonation
account. Now, I'm wondering if I will have issues with the
IIS_WPG group as well since members of that group need to
be able to read (and maybe execute) those same files
without being prompted.
Tony Su
>-----Original Message-----
>Hi Tony,
>
>I'm not sure what settings you are talking about, but IIS
6 works pretty
>much just like IIS 5 with regard to impersonation.
>
>If an anonymous request is made, IIS will impersonate the
anonymous user
>(which is IUSR_<machine> by default). If a request is
authenticated, IIS
>will impersonate the authenticated user.
>
>In IIS 5, you would achieve your goal below by making
sure that the content
>is accessible only by the anonymous user or local
system. In IIS 6, it's
>the exact same thing, except that you would allow the
anonymous user and the
>IIS_WPG group. The change from local system to IIS_WPG
is a result of the
>fact that IIS 6 can run it's processes as any arbitrary
user and not just
>local system (and we require that such an arbitrary use
be a member of that
>group.)
>
>I hope this information is helpful,
>-Wade Hilmo,
>-Microsoft
>
>"Tony Su" <tonysu@su-networking.com> wrote in message
>news:4ac601c2f3dc$78aa8130$a101280a@phx.gbl...
>> On prior IIS, impersonation was standard and it was
>> possible to force all Users to authenticate as
anonymous.
>>
>> In IIS6, there are anonymous settings, but nothing that
>> specifies "all are authenticated as Anonymous regardless
>> whether the User is a member of the Domain" and I
>> understand impersonation is disabled by default.
>>
>> Is there a SysAdmin way to implement the following:
>>
>> IIS authenticates any User as anonymous and impersonates
>> the User with a specified User account which is not
>> IUSER_machinename.
>>
>> Then, if that can be answered... optionally I'd be
>> interested if someone can agree whether this would
work...
>> I'd like to encrypt the website files with a certificate
>> belonging to the Account used for impersonation so that
>> pages can be viewed without being prompted for
credentials
>> belonging to the impersonation account.
>>
>> The objective is to protect the files from being viewed
or
>> modified by any person who is able to login locally not
>> using the impersonation account.
>>
>> TIA.
>>
>> Tony Su
>
>
>.
>
- Previous message: Troy Hammond: "Read Permission in IIS 5.0"
- In reply to: Wade A. Hilmo [MS]: "Re: IIS6 - How? Force Anonymous and impersonation"
- Next in thread: Wade A. Hilmo [MS]: "Re: IIS6 - How? Force Anonymous and impersonation"
- Reply: Wade A. Hilmo [MS]: "Re: IIS6 - How? Force Anonymous and impersonation"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
