Re: deny access to IIS virtual directory

From: Roger Abell (mvpNOSpam_at_asu.edu)
Date: 02/25/05 

Date: Fri, 25 Feb 2005 05:38:01 -0700

"David K" <noemail@nospam.com> wrote in message
news:v25l11dl80itqhqo5fns9kouqmq5ffiuc5@4ax.com...
> I'm running Windows Server 2003.
>
> On the IIS server, I have the local path c:\intranetnews shared as a
> virtual directory for the active website.
>
> I have anonymous access enabled for the directory, so that users
> aren't prompted for credentials. One global security group, Project
> Contractors, is denied access to that directory via NTFS permissions.
> Every user can open that portion of the site in IE, including Jay
> Adams, who is a member of Project Contractors. Why?
>
> All I can figure is Jay is being treated as an anonymous user instead
> of his logon credentials.
>

that is precisely the case, given what you have stated.

> If that's the case, the MSPress MCSE book is wrong. This is part of an
> exercise that says that given this configuration, Jay should be denied
> access.
>

evidently so, if you have correctly understood what it is saying
and reflected that here.

In IIS if you want to allow anonymous access, then that is
all that is needed from the client - in other words, just who
is at the other end is not known.

Now, if you have an area served by IIS for anonymous access,
say yourweb.com/thisarea that is stored at f:\web1\area1
then the NTFS at f:\web1\area1 needs to have a grant to the
account(s) IIS will use for the anonymous access.
If within this you remove ths grant to some part, like
f:\web1\area1\restricted and instead place NTFS grants to
the accounts that should have access, then even though this
is within an anonymous web when the access with the accounts
IIS is using for anonymous access fails the client will get a
chance to provide credentials that will enable the access.
In this case, if the groups with Jay have no grant, but other
users are in groups with grants, then you would get something
close to the behavior the MCSE text might be indicating.
So, bottom line is, reread and make sure you are taking all
of the scenario into account. 

-- 
Roger Abell
Microsoft MVP (Windows  Security)
MCSE (W2k3,W2k,Nt4)  MCDBA

Relevant Pages

  • RE: OWA 440 login timeout
    ... this issue is related with the anonymous access on ... the Exchweb virtual directory. ... please restart your IIS service and test your issue again. ... PLEASE NOTE the newsgroup SECURE CODE and PASSWORD were ...
    (microsoft.public.windows.server.sbs)
  • Re: adding a new site results in iis error 401.1
    ... it means that the username/password you configured in IIS for the ... The reason you can get a 401.1 for anonymous access is this -- when you ... In general, the other authentication methods are pretty fast, unless your ...
    (microsoft.public.inetserver.iis)
  • Re: Persmission Denied
    ... has only been possible running the asp page directly on my test IIS ... >is your IIS virtual dir set up to use anonymous access? ... strUserDN, objUser ...
    (microsoft.public.scripting.wsh)
  • RE: LOGON_USER through https tunnel
    ... Have you disabled anonymous access? ... Go to IIS Manager, right click on the site and go to Directory Security. ... Click the Edit button in Authentication and access control, ... Subject: LOGON_USER through https tunnel ...
    (Security-Basics)
  • Re: wsx to asp ad rotator doesnt work
    ... has anonymous access enabled, and does not have any other ... The pub point wsx file has a test file that is called ... The second entry in the wsx file is the asp page. ... >control is enabled on the IIS box? ...
    (microsoft.public.windowsmedia.server)