Re: Intranet Security
- From: "Miha Pihler [MVP]" <mihap-news@xxxxxxxxxxx>
- Date: Wed, 23 Aug 2006 00:13:38 +0200
No it doesn't, but IIS will always honor NTFS permissions. For anything else
I just don't have enough information.
Remove everything from permissions except those users that need access and
e.g. Administrators group. Don't use other groups unless necessary (e.g.
don't use Domain Users, Authenticated Users, ...).
You can also use Effective Permissions tab on your files in your data folder
where you are setting NTFS permissions to figure out what kind of
permissions user will have on data.
How are share permissions set up?
My suggestion would be to first make this work on IIS server (move data to
IIS server). Once it works on IIS server start playing with access over
shares.
--
Mike
Microsoft MVP - Windows Security
"Peter W. Caton" <PeterWCaton@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:4DD1833A-A405-41CD-86D3-52C39A17686C@xxxxxxxxxxxxxxxx
Just to clarify:
If I try to access the share via Windows when I am logged in under a
restricted user, I am denied.
But you're saying that because I have permissions setup as Authenticated
Users, IIS allows this restricted user to view the website?
Before writing the newsgroup, I also tried the following:
Add the website files on the local IIS server. Set the permissions to
only
allow Staff Users and Domain Admins.
When I log as a restricted user, I can still access the website.
This just doesn't add up-
"Miha Pihler [MVP]" wrote:
Hi,
Your users are granted access via "Authenticated Users". Any user that
has
valid username and password is automatically authenticated user and your
current settings give him/her full access.
--
Mike
Microsoft MVP - Windows Security
"Peter W. Caton" <PeterWCaton@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:14328C7F-A809-4387-8063-2DE017D9B51F@xxxxxxxxxxxxxxxx
The share that IIS is redirected to is setup as follows
Permissions: Authenticated users have Full, Change, Read
Security: Staff Users (group with staff accounts) have Read, Write
Domain Admins Full Control
But when I login as an AD user account that is not in either one of
these
groups, I can still access the website.
"Peter W. Caton" wrote:
Thanks for your reply.
For some reason, this does not work.
I have the website pointing to a network share on another server.
The network share only allows users 1, 2, 3.
If I login as one of the users who should not have access to this
share
and
try to access the share, I am denied. So I know the permissions are
working.
However, if I am logged in as a user who should not have access to the
site
and type in the server's name in IE, I can access the webpage, no
problem.
I have also tried moving the files to a folder on the IIS server.
Same
thing happens.
I do have anonymous access disabled.
For authenticated access, I have tried every combination of access,
Windows
Integrated, Digest Authentication, and one of two things happen. One,
I
am
prompted for a username and password. But no matter what username and
password I enter, I am denied access. Two, I can access the site
using
any
AD user.
Any other thoughts?
"Peter W. Caton" wrote:
Here is what I want to do with IIS on a Windows 2003 server. The
server is a
part of our domain.
I have a basic Intranet troubleshooting website setup in IIS.
I want to limit access to a specific group of Active Directory
users.
In
other words, AD users 1, 2, 3 can access the intranet website, all
other
users are denied.
How can I accomplish this?
I should also note that I am rather new to IIS, so the more detail
you
can
provide, the better.
Thanks.
.
- References:
- Re: Intranet Security
- From: Miha Pihler [MVP]
- Re: Intranet Security
- From: Peter W. Caton
- Re: Intranet Security
- Prev by Date: Re: IIS Newbie question
- Next by Date: Re: Should ADFS be implemented when...
- Previous by thread: Re: Intranet Security
- Next by thread: IIS Newbie question
- Index(es):
Relevant Pages
|
