Re: Use NT security for Web Application, don't use Internet User Guest Account
From: Roger Abell [MVP] (mvpNoSpam_at_asu.edu)
Date: Wed, 28 May 2003 16:28:40 -0700
"Colin Colin" <firstname.lastname@example.org> wrote in message
> I am sure this has been asked before and I have searched but I haven't
> found the answer, perhaps I am not searching right or in the right
> I want users only with the appropriate security to run a specific web
> application. Basically I do not want the Internet User Guest account to
> be able to run the application. But, I would also like it if the user
> were already logged into the network, they won't be prompted for their
> user id and password.
> Now the details.
> I have a web app server, NT26. I installed a web application for FRx on
> this machine. In IIS I setup a new website for this called FrxWeb on
> port 10. It works fine. The folders that the webapp runs off from are
> e:\frxwebport so this is the default folder for my frxweb site. The asp
> files are in this folder. The data that the asp files reads are in
> another subfolder e:\frxwebport\data\.
> Currently Allow Anonymous Access is checked in the Directory Security
> for the FrxWeb website.
> The Internet User Guest Account (NT6\IUSR_DELLPOWERAPP) has rights to
> the e:\frxwebport, and the Everyone group has rights to this folder.
> So everything is fine. I can goto: http://NT26:10 and the web page runs
> fine. So now I want to make it restrictive to a certain group.
> We have a group of people that we want to be able to run this. The
> group is g2000\freports. I created a local group on nt26 called:
> nt26\freports I then made g2000\freports a member of nt26\freports.
> I then gave nt26\freports security to the e:\frxwebport directory.
> What should I do or where should I look?
> This is a Windows 2000 machine. I think it's IIS 5.
> Thank you
Where should you look for what ?
Make the website not allow anonymous and make sure
it does allow NT style logins. Change the permissions on
the content so that IUSR_ and Everyone do not have any
premissions but that your custom group of allowed users
do (make sure they also have logon rights on the machine).
Depending on the isolation level you use you may also
need to adjust permissions on your application components.