Securing IIS IUSER
From: Pritchie (info2005_at_remove-this-including-dot.bigbunker.com)
Date: 10/18/05
- Previous message: Bernard Cheah [MVP]: "Re: iis5 disable trace method"
- Next in thread: Leon Mayne [MVP]: "Re: Securing IIS IUSER"
- Reply: Leon Mayne [MVP]: "Re: Securing IIS IUSER"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Tue, 18 Oct 2005 09:31:29 GMT
> "Pritchie" <info2005@remove-this-including-dot.bigbunker.com> wrote in
> message news:dpO4f.3413$sm1.224@newsfe5-win.ntli.net...
> > Hi,
> > I want to restrict IUSER access to the server file system. I removed it
> > from the "Users" group and added it to the "Guest" group. Thinking that
> > if
> > I then explicitly granted it read permissions to the wwwroot, that would
> > work fine. Before granting IUSER permission to read the files/folder, I
> > test access was denied.. it wasn't.
> >
> > The wwwroot has the following permissions
> > Administrators (Full)
> > CREATOR OWNER (Special)
> > SYSTEM (Full
> > Users (Read)
> >
> > if I remove "Users" from wwwroot and IUSER cannot see the files, I added
> > "Users" back and IUSER can see the files again, even though it's not a
> > member of the "Users" group.
> >
> > IUSER is only a member of
> > Guests
> >
> > The Users groups has
> > ASPNET
> > NT AUTHORITY\Authenticated Users
> > NT AUTHORITY\INTERACTIVE Users
> >
> > are any of these permitting IUSER access to files and folders with
"Users"
> > permissions.
> >
> > How can I stop IUSER seeing files and folder unless explicitly granted
> > NTFS
> > permissions. I'd rather not have to remove the "Users" permissions
> > granted
> > across the whole file system.
> >
> > Why has NTFS file and folder permission gone down hill since NT4? use
to
> > be
> > so simple, now there so much implicit granting of permissions you may as
> > well have it set to Everyone (Full). :o(
> >
> > In brief, I want to stop IUSER see files and folders unless granted
> > permissions to...
> > D:\MyFile (Access denied)
> > D:\Inetpub\wwwroot (Access granted)
> >
> > Thanks
> > Pritchie
> >
> >
>
>
> "Miha Pihler [MVP]" <mihap-news@atlantis.si> wrote in message
news:<uN#nh600FHA.3000@TK2MSFTNGP12.phx.gbl>...
> Hi,
>
> IUSER account is also "member of group" (it is "added" to the group
> dynamically) called "Authenticated Users" and that is the reason why it
> worked when the Users group had Read permission on the folder.
>
> You might also want to post this question in
> "microsoft.public.inetserver.iis.security"
>
> --
> Mike
> Microsoft MVP - Windows Security
>
- Previous message: Bernard Cheah [MVP]: "Re: iis5 disable trace method"
- Next in thread: Leon Mayne [MVP]: "Re: Securing IIS IUSER"
- Reply: Leon Mayne [MVP]: "Re: Securing IIS IUSER"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
