Re: Website allows everyone in, not matter what
From: Tom Pennington (NONEt2pennington_at_comcast.net)
Date: 06/25/04
- Next message: Lucas: "Russian IIS hack? Malicious Javascript code"
- Previous message: Lucas: "Re: Russian IIS hack? Malicious Javascript code"
- In reply to: Chris Martin: "RE: Website allows everyone in, not matter what"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Fri, 25 Jun 2004 13:13:16 -0400
After digging around a bit, I actually found the problem. There is a know
issue when using Coldfusion MX and IIS with NTFS permissions set.
Basically, CF will bypass the NTFS permissions and allow ANY user to view
data even though you have specifically denied access to them at the NTFS
level and the IIS level.
It's a weird problem and hard to explain. Here's the link that explains the
problem:
http://www.macromedia.com/devnet/security/security_zone/mpsb03-02.html
Thanks everyone for the help.
Tom
"Chris Martin" <Chris Martin@discussions.microsoft.com> wrote in message
news:6FFBFFBD-9134-486C-986F-E4A9D38DA0EB@microsoft.com...
> It might be because you have anonymous access enabled. You can diable it
in the directory security tab while in the properties for the site. You
should see a check box that says something about allowing anonymous access.
I suggest right clicking on the directories that you do not want users to
have access to, and then click on properties. Once there, i think you click
on the directory security tab.. then uncheck the allow anonymous checkbox.
I dont have IIS here to double check, but that might initially solve your
issue.
>
> Overall i think it might be better to not use windows users for
authentication to the site. At least right now ;) I'd suggest creating a
database to store user information and code the site for user permissions.
I know this will take a lot of work, but i think that's the preferred
practice. Most people do not give out user logins to people that are
internet browsers. This might cause some interesting web site compromise if
the user hacks your site. If they hack your site, they will be able to get
at your system via a user login, which is bad. Microsoft already greatly
restricts the anonymous user from accessing the system. users have more
abilities within the system.
>
> I wouldnt be surprised that 5 years down the road (one more server OS
release by microsoft) that they will be able to integrate AD to handle
access rights for different users on a web site.
>
> This is mainly my opinion, if anything know's or thinks otherwise, feel
free to speak up. I'm always ready to learn something new :)
>
> "Tom Pennington" wrote:
>
> > Okay, I have created a web site that is open to the public, yet there
are
> > pieces that need username/passwords to be able to get in, at least I
> > thought.
> >
> > NTFS Permissions are set so that only members of a particular group can
get
> > to this directory, IIS Admin has this directory set to not allow
Anonymous
> > access, yet people can get in. Here's the scenerio:
> >
> > 1. User is created in AD and put into a particular group (i.e.
NO-Access).
> > 2. User (member of NO-Access group) goes to part of my web site and it
> > comes up and prompts for a username/password.
> > 3. If the user types in the username and password, they can get in. If
> > they click on cancel, then they get the 401.2 (unauthorized) error,
which is
> > what I would expect.
> >
> > I'm baffled. I've checked the effective permissions for this user and
> > according to NT, they do not any rights to the directory or the file in
> > question, yet they can still get in. The error log shows error 200 0,
which
> > means they got in with a valid username/password.
> >
> > The environment is: Windows 2003 (fully patched), IIS6 and NTFS for the
> > drives.
> >
> > HELP!!!
> >
> > thanks,
> > Tom
> >
> >
> >
- Next message: Lucas: "Russian IIS hack? Malicious Javascript code"
- Previous message: Lucas: "Re: Russian IIS hack? Malicious Javascript code"
- In reply to: Chris Martin: "RE: Website allows everyone in, not matter what"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
