|
security
newsgroups
|
|||||||||||||||||||||||
|
|||||||||||||||||||||||
IIS 6.0 and Integrated Security - restricting loginsI want to restrict user access to certain parts of my web site by creating
local groups and adding those groups to the data folders that have the web content. Right now, when I create a new local user, and not add them to any group, he can access the web site which is configured to use Integrate Security only. How can this happen if the new user is not part of any groups with access to the folders? -- Sandy Wood Orange County District Attorney a) Use the IIS Logs to verify that which user account is being used (you
should see the user account in the log file) b) Verify that this user account does not have NTFS permissions to the file/folder in question. I suspect that they must via some kind of group. Cheers Ken Show quote "Sandy Wood" <sandy.wood@nospam.com> wrote in message news:8B43D1DA-B551-463E-B439-9233E1FAA5A3@microsoft.com... :I want to restrict user access to certain parts of my web site by creating : local groups and adding those groups to the data folders that have the web : content. Right now, when I create a new local user, and not add them to any : group, he can access the web site which is configured to use Integrate : Security only. How can this happen if the new user is not part of any groups : with access to the folders? : -- : Sandy Wood : Orange County District Attorney I checked the IIS logs and the test user I created, without any group
membership was shown as logging in. The only users/groups I have on the data directory is Administrators, CREATOR OWNER, SYSTEM and local USERS. Could there be some other place that permissions are set? I'm only using Integrated Security, nothing Anonymous. Show quote "Ken Schaefer" wrote: > a) Use the IIS Logs to verify that which user account is being used (you > should see the user account in the log file) > > b) Verify that this user account does not have NTFS permissions to the > file/folder in question. I suspect that they must via some kind of group. > > Cheers > Ken > > -- > Blog: www.adopenstatic.com/cs/blogs/ken/ > Web: www.adopenstatic.com > > > "Sandy Wood" <sandy.wood@nospam.com> wrote in message > news:8B43D1DA-B551-463E-B439-9233E1FAA5A3@microsoft.com... > :I want to restrict user access to certain parts of my web site by creating > : local groups and adding those groups to the data folders that have the web > : content. Right now, when I create a new local user, and not add them to > any > : group, he can access the web site which is configured to use Integrate > : Security only. How can this happen if the new user is not part of any > groups > : with access to the folders? > : -- > : Sandy Wood > : Orange County District Attorney > > > Check the membership of the "Users" group. I suspect that your test user is
in that group. Cheers Ken Show quote "Sandy Wood" <sandy.wood@nospam.com> wrote in message news:63A6B0C4-E9A4-4DE1-BA49-E45ABF7EEEDA@microsoft.com... :I checked the IIS logs and the test user I created, without any group : membership was shown as logging in. The only users/groups I have on the data : directory is Administrators, CREATOR OWNER, SYSTEM and local USERS. : : Could there be some other place that permissions are set? I'm only using : Integrated Security, nothing Anonymous. : : "Ken Schaefer" wrote: : : > a) Use the IIS Logs to verify that which user account is being used (you : > should see the user account in the log file) : > : > b) Verify that this user account does not have NTFS permissions to the : > file/folder in question. I suspect that they must via some kind of group. : > : > Cheers : > Ken : > : > -- : > Blog: www.adopenstatic.com/cs/blogs/ken/ : > Web: www.adopenstatic.com : > : > : > "Sandy Wood" <sandy.wood@nospam.com> wrote in message : > news:8B43D1DA-B551-463E-B439-9233E1FAA5A3@microsoft.com... : > :I want to restrict user access to certain parts of my web site by creating : > : local groups and adding those groups to the data folders that have the web : > : content. Right now, when I create a new local user, and not add them to : > any : > : group, he can access the web site which is configured to use Integrate : > : Security only. How can this happen if the new user is not part of any : > groups : > : with access to the folders? : > : -- : > : Sandy Wood : > : Orange County District Attorney : > : > : > I dug out a old Win2k Res. Kit tool, w3who.dll which after running, gave me
the following Access Token info: SERVER01\testuser SERVER01\None \Everyone SERVER01\PROBATION BUILTIN\Users NT AUTHORITY\NETWORK NT AUTHORITY\Authenticated Users NT AUTHORITY\This Organization NT AUTHORITY\NTLM Authentication If I check the user Member properties, he's not a member of any group at all, however, this shows something a bit different. We do have a local group called PROBATION, but inspecting it's membership shows testuser is not a member of it. Perhaps the BUILTIN\Users could give permissions? Show quote "Ken Schaefer" wrote: > Check the membership of the "Users" group. I suspect that your test user is > in that group. > > Cheers > Ken > > -- > Blog: www.adopenstatic.com/cs/blogs/ken/ > Web: www.adopenstatic.com > > "Sandy Wood" <sandy.wood@nospam.com> wrote in message > news:63A6B0C4-E9A4-4DE1-BA49-E45ABF7EEEDA@microsoft.com... > :I checked the IIS logs and the test user I created, without any group > : membership was shown as logging in. The only users/groups I have on the > data > : directory is Administrators, CREATOR OWNER, SYSTEM and local USERS. > : > : Could there be some other place that permissions are set? I'm only using > : Integrated Security, nothing Anonymous. > : > : "Ken Schaefer" wrote: > : > : > a) Use the IIS Logs to verify that which user account is being used (you > : > should see the user account in the log file) > : > > : > b) Verify that this user account does not have NTFS permissions to the > : > file/folder in question. I suspect that they must via some kind of > group. > : > > : > Cheers > : > Ken > : > > : > -- > : > Blog: www.adopenstatic.com/cs/blogs/ken/ > : > Web: www.adopenstatic.com > : > > : > > : > "Sandy Wood" <sandy.wood@nospam.com> wrote in message > : > news:8B43D1DA-B551-463E-B439-9233E1FAA5A3@microsoft.com... > : > :I want to restrict user access to certain parts of my web site by > creating > : > : local groups and adding those groups to the data folders that have the > web > : > : content. Right now, when I create a new local user, and not add them > to > : > any > : > : group, he can access the web site which is configured to use Integrate > : > : Security only. How can this happen if the new user is not part of any > : > groups > : > : with access to the folders? > : > : -- > : > : Sandy Wood > : > : Orange County District Attorney > : > > : > > : > > > > Your user is part of the Users group (as I mentioned). Remove the Users
group from the NTFS ACL (Access Control List) for the file or folder you are attempting to restrict access to. Cheers Ken Show quote "Sandy Wood" <sandy.wood@nospam.com> wrote in message news:C44681B5-BAC5-4010-8FD7-FF62115352A4@microsoft.com... :I dug out a old Win2k Res. Kit tool, w3who.dll which after running, gave me : the following Access Token info: : : SERVER01\testuser : SERVER01\None : \Everyone : SERVER01\PROBATION : BUILTIN\Users : NT AUTHORITY\NETWORK : NT AUTHORITY\Authenticated Users : NT AUTHORITY\This Organization : NT AUTHORITY\NTLM Authentication : : If I check the user Member properties, he's not a member of any group at : all, however, this shows something a bit different. : : We do have a local group called PROBATION, but inspecting it's membership : shows testuser is not a member of it. : : Perhaps the BUILTIN\Users could give permissions? : : "Ken Schaefer" wrote: : : > Check the membership of the "Users" group. I suspect that your test user is : > in that group. : > : > Cheers : > Ken : > : > -- : > Blog: www.adopenstatic.com/cs/blogs/ken/ : > Web: www.adopenstatic.com : > : > "Sandy Wood" <sandy.wood@nospam.com> wrote in message : > news:63A6B0C4-E9A4-4DE1-BA49-E45ABF7EEEDA@microsoft.com... : > :I checked the IIS logs and the test user I created, without any group : > : membership was shown as logging in. The only users/groups I have on the : > data : > : directory is Administrators, CREATOR OWNER, SYSTEM and local USERS. : > : : > : Could there be some other place that permissions are set? I'm only using : > : Integrated Security, nothing Anonymous. : > : : > : "Ken Schaefer" wrote: : > : : > : > a) Use the IIS Logs to verify that which user account is being used (you : > : > should see the user account in the log file) : > : > : > : > b) Verify that this user account does not have NTFS permissions to the : > : > file/folder in question. I suspect that they must via some kind of : > group. : > : > : > : > Cheers : > : > Ken : > : > : > : > -- : > : > Blog: www.adopenstatic.com/cs/blogs/ken/ : > : > Web: www.adopenstatic.com : > : > : > : > : > : > "Sandy Wood" <sandy.wood@nospam.com> wrote in message : > : > news:8B43D1DA-B551-463E-B439-9233E1FAA5A3@microsoft.com... : > : > :I want to restrict user access to certain parts of my web site by : > creating : > : > : local groups and adding those groups to the data folders that have the : > web : > : > : content. Right now, when I create a new local user, and not add them : > to : > : > any : > : > : group, he can access the web site which is configured to use Integrate : > : > : Security only. How can this happen if the new user is not part of any : > : > groups : > : > : with access to the folders? : > : > : -- : > : > : Sandy Wood : > : > : Orange County District Attorney : > : > : > : > : > : > : > : > : > Ken,
I took another closer look at my configuration and I had taken all the users out of the Users folder, except I noticed that I left 'Authenticated Users' still in there. Boy am I stupid. You're right, thanks for the tip. I also noticed that someone had put \Everyone into the Probation group which explains the other issue. The System was just doing what it was told. Duh. thanks again for your help. Show quote "Ken Schaefer" wrote: > Your user is part of the Users group (as I mentioned). Remove the Users > group from the NTFS ACL (Access Control List) for the file or folder you are > attempting to restrict access to. > > Cheers > Ken > > -- > Blog: www.adopenstatic.com/cs/blogs/ken/ > Web: www.adopenstatic.com > > "Sandy Wood" <sandy.wood@nospam.com> wrote in message > news:C44681B5-BAC5-4010-8FD7-FF62115352A4@microsoft.com... > :I dug out a old Win2k Res. Kit tool, w3who.dll which after running, gave me > : the following Access Token info: > : > : SERVER01\testuser > : SERVER01\None > : \Everyone > : SERVER01\PROBATION > : BUILTIN\Users > : NT AUTHORITY\NETWORK > : NT AUTHORITY\Authenticated Users > : NT AUTHORITY\This Organization > : NT AUTHORITY\NTLM Authentication > : > : If I check the user Member properties, he's not a member of any group at > : all, however, this shows something a bit different. > : > : We do have a local group called PROBATION, but inspecting it's membership > : shows testuser is not a member of it. > : > : Perhaps the BUILTIN\Users could give permissions? > : > : "Ken Schaefer" wrote: > : > : > Check the membership of the "Users" group. I suspect that your test user > is > : > in that group. > : > > : > Cheers > : > Ken > : > > : > -- > : > Blog: www.adopenstatic.com/cs/blogs/ken/ > : > Web: www.adopenstatic.com > : > > : > "Sandy Wood" <sandy.wood@nospam.com> wrote in message > : > news:63A6B0C4-E9A4-4DE1-BA49-E45ABF7EEEDA@microsoft.com... > : > :I checked the IIS logs and the test user I created, without any group > : > : membership was shown as logging in. The only users/groups I have on > the > : > data > : > : directory is Administrators, CREATOR OWNER, SYSTEM and local USERS. > : > : > : > : Could there be some other place that permissions are set? I'm only > using > : > : Integrated Security, nothing Anonymous. > : > : > : > : "Ken Schaefer" wrote: > : > : > : > : > a) Use the IIS Logs to verify that which user account is being used > (you > : > : > should see the user account in the log file) > : > : > > : > : > b) Verify that this user account does not have NTFS permissions to > the > : > : > file/folder in question. I suspect that they must via some kind of > : > group. > : > : > > : > : > Cheers > : > : > Ken > : > : > > : > : > -- > : > : > Blog: www.adopenstatic.com/cs/blogs/ken/ > : > : > Web: www.adopenstatic.com > : > : > > : > : > > : > : > "Sandy Wood" <sandy.wood@nospam.com> wrote in message > : > : > news:8B43D1DA-B551-463E-B439-9233E1FAA5A3@microsoft.com... > : > : > :I want to restrict user access to certain parts of my web site by > : > creating > : > : > : local groups and adding those groups to the data folders that have > the > : > web > : > : > : content. Right now, when I create a new local user, and not add > them > : > to > : > : > any > : > : > : group, he can access the web site which is configured to use > Integrate > : > : > : Security only. How can this happen if the new user is not part of > any > : > : > groups > : > : > : with access to the folders? > : > : > : -- > : > : > : Sandy Wood > : > : > : Orange County District Attorney > : > : > > : > : > > : > : > > : > > : > > : > > > >
Show quote
"Ken Schaefer" wrote:
> a) Use the IIS Logs to verify that which user account is being used (you > should see the user account in the log file) > > b) Verify that this user account does not have NTFS permissions to the > file/folder in question. I suspect that they must via some kind of group. > > Cheers > Ken > > -- > Blog: www.adopenstatic.com/cs/blogs/ken/ > Web: www.adopenstatic.com > > > "Sandy Wood" <sandy.wood@nospam.com> wrote in message > news:8B43D1DA-B551-463E-B439-9233E1FAA5A3@microsoft.com... > :I want to restrict user access to certain parts of my web site by creating > : local groups and adding those groups to the data folders that have the web > : content. Right now, when I create a new local user, and not add them to > any > : group, he can access the web site which is configured to use Integrate > : Security only. How can this happen if the new user is not part of any > groups > : with access to the folders? > : -- > : Sandy Wood > : Orange County District Attorney > > > 
|
|||||||||||||||||||||||
Other interesting topics