Re: User configuration question
From: Roger Abell (mvpNOSpam_at_asu.edu)
Date: 03/03/05
- Next message: Dave: "Re: Issuing Enterprise Subordinate CA - Why not a DC?"
- Previous message: Paul Adare: "Re: Issuing Enterprise Subordinate CA - Why not a DC?"
- In reply to: Richard L Rosenheim: "Re: User configuration question"
- Next in thread: Richard L Rosenheim: "Re: User configuration question"
- Reply: Richard L Rosenheim: "Re: User configuration question"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Thu, 3 Mar 2005 08:15:22 -0700
"Richard L Rosenheim" <richard@rlr.com> wrote in message
news:ui3$hn3HFHA.572@tk2msftngp13.phx.gbl...
> No, this is not a web farm -- single computer system (actually a SBS 2003
> system). And to answer your question, I'm not running Terminal Services.
>
> I'm using AD user accounts as I'm not aware of another way of doing it.
> But, I'm open to suggestions.
>
> From what I understand of your reply, if I only grant them NTFS permission
> to the folder I wish to allow them to access, and I don't allow them
> VPN/Dial-in access, then I'm okay about them not being able to access
other
> portions/resources of the system.
>
> Thanks for the reply,
>
> Richard Rosenheim
>
Well, that changes things some, as an SBS03 is a domain controller,
and so you only have domain accounts available. Normally we do
not recommend use of IIS on a DC - but in a single server SBS
environment you do not have a choice.
What you need to do is
1. be aware of what all groups the accounts are in, like Domain Users
2. understand what those memberships will enable
3. examine all ways that they can get at the system, physical or over
the network
4. guard each login form that those ways of getting to the system
would allow.
In the smaller SBS environment use of the user rights settings
in a GPO that applies to all machines except that where the
web resides might be viable. The settings are the ones to
Deny local login and to Deny network login (or similar wording).
That will prevent the account from most uses on any other computer
that is in the SBS domain.
Then you just need to control access on the machine with the web
content. Allowing access to the web content is done with NTFS
permissions. The bigger issue is disallowing access to anything
else. For that you really need to examine the exposures, because
to be authenticated by IIS for access to the web content the accounts
will need some user rights, and, being in users group will grant
them access where you may not want. There are a lot of variables
at this point, that are best narrowed down by looking at the exact
specifics of the one machine, and this is complicated by its being
the SBS03 DC. For example, we do not know from where these
users will access the web (the outside world?, the local office?)
and we do not know if the server is multihomed with one interface
internal and one to the network, or if it is all local with one network
interface, or . . .
-- Roger Abell Microsoft MVP (Windows Security) MCSE (W2k3,W2k,Nt4) MCDBA > > "Roger Abell" <mvpNOSpam@asu.edu> wrote in message > news:Oe2$aliHFHA.1096@tk2msftngp13.phx.gbl... > > First, if you are not using a web farm and the application does > > not require the user to go off-box as themselves, such as to a > > SQL server back-end, then why are you using AD user accounts? > > If you want to make sure that they cannot access anything except > > things (webs) on one server, then use of machine local accounts > > on that server is one of the most strong enforcements of that > > safeguard that you can get. > > > > Now, as to your ?? > > > Is it possible to create an user in the Active Directory > > > and restrict them only to accessing a single web site? > > Yes, it is possible, but you need to have the right environment > > established in your AD infrastructure in order to do so. > > Specifically you need to have taken control over the membership > > of the machine local Users group on all machines, and/or of the > > User Rights to Log on locally and to Log on over the network > > on every machine. The default settings will not be working in > > your favor this regard. > > > > If the AD is structured so that you can restict the account to > > the one webserver, or if the website is confined to one machine > > only, then it is only a matter of controlling access on that one > > machine. > > > The web site is configured to use Windows authentication, and I wish to > > > grant specific users access to the web site. > > Not a problem. Use NTFS permissions effectively. The account > > (post-NT4) will likely need to be a member of the macine local Users > > group if the website is much more that static html, but otherwise those > > accounts only need read on the websites content files. > > > > > But, I also don't want them to > > > be able to actually log into the server, > > Do not run Terminal Services or if so, make sure you control what > > accounts are permitted, and, take physical security over your server > > so they cannot get to it. It depends on how the users will access the > > web content (IE browse, FrontPage for content update, etc.) whether > > the account need Local, Network, or both login rights. Hence, you > > must block their access to login in other fashions. > > > > > or access any files or resources on > > > the server, except for that one specific web site. > > User NTFS permissions (and if present, share level permissions) > > effectively. It they cannot log into a desktop (per prior comments) > > then you only need to make sure they are blocked from inappropriate > > network logins (shares). > > > > -- > > Roger Abell > > Microsoft MVP (Windows Security) > > MCSE (W2k3,W2k,Nt4) MCDBA > > "Richard L Rosenheim" <richard@rlr.com> wrote in message > > news:O8GohiTHFHA.720@TK2MSFTNGP10.phx.gbl... > > > Is it possible to create an user in the Active Directory and restrict > them > > > only to accessing a single web site? > > > > > > The web site is configured to use Windows authentication, and I wish to > > > grant specific users access to the web site. But, I also don't want > them > > to > > > be able to actually log into the server, or access any files or > resources > > on > > > the server, except for that one specific web site. > > > > > > Any suggestions, recommendations, helpful URLs? > > > > > > Richard Rosenheim > > > > > > > > > > > >
- Next message: Dave: "Re: Issuing Enterprise Subordinate CA - Why not a DC?"
- Previous message: Paul Adare: "Re: Issuing Enterprise Subordinate CA - Why not a DC?"
- In reply to: Richard L Rosenheim: "Re: User configuration question"
- Next in thread: Richard L Rosenheim: "Re: User configuration question"
- Reply: Richard L Rosenheim: "Re: User configuration question"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
