|
security
newsgroups
|
|||||||||||||||||||||||
|
|||||||||||||||||||||||
IIS 6.0 and passwording siteI have read every article I can find and it all looks easy, but my site just
doesn't lock down. I really need some help here. My goal is to allow only certain users acces to this web site. The problem is that every user in my AD can go to this page even though they shouldn't have access. The password page comes up, but they just have to put in their user ID. In the IIS Manager, Default Web Site, Directory Security, Authentication and Access Control, the only box that is checked is Basic Authentication (I have SSL on this box), and the Default domain and Relm both have my Domain Name. On the wwwroot, the rights are web1\Administrators - Full Control MyDomain\web1 Access Users - R & E, L, R CREATOR OWNER - Special Permissions SYSTEM - Full Control web1\Users - R & E, L, R, Special Permissions Thanks in advance. Steve Use the NTFS permissions to control access for user groups just like for
shared files. Anthony Show quoteHide quote "stebe" <st***@discussions.microsoft.com> wrote in message news:550041AA-11E7-4263-8FB5-29D2474AC4EF@microsoft.com... >I have read every article I can find and it all looks easy, but my site >just > doesn't lock down. I really need some help here. My goal is to allow > only > certain users acces to this web site. The problem is that every user in > my > AD can go to this page even though they shouldn't have access. The > password > page comes up, but they just have to put in their user ID. In the IIS > Manager, Default Web Site, Directory Security, Authentication and Access > Control, the only box that is checked is Basic Authentication (I have SSL > on > this box), and the Default domain and Relm both have my Domain Name. On > the > wwwroot, the rights are > web1\Administrators - Full Control > MyDomain\web1 Access Users - R & E, L, R > CREATOR OWNER - Special Permissions > SYSTEM - Full Control > web1\Users - R & E, L, R, Special Permissions > > Thanks in advance. > > Steve On Thu, 3 Aug 2006 11:34:02 -0700, stebe
<st***@discussions.microsoft.com> wrote: Show quoteHide quote >I have read every article I can find and it all looks easy, but my site just Use Windows Integrated (not Basic) and check your group memberships.>doesn't lock down. I really need some help here. My goal is to allow only >certain users acces to this web site. The problem is that every user in my >AD can go to this page even though they shouldn't have access. The password >page comes up, but they just have to put in their user ID. In the IIS >Manager, Default Web Site, Directory Security, Authentication and Access >Control, the only box that is checked is Basic Authentication (I have SSL on >this box), and the Default domain and Relm both have my Domain Name. On the >wwwroot, the rights are >web1\Administrators - Full Control >MyDomain\web1 Access Users - R & E, L, R >CREATOR OWNER - Special Permissions >SYSTEM - Full Control >web1\Users - R & E, L, R, Special Permissions Jeff remove the grant to web1\Users as this likely includes Authenticated Users
which in turn means any account in the forest that can authenticate successfully. Show quoteHide quote "stebe" <st***@discussions.microsoft.com> wrote in message news:550041AA-11E7-4263-8FB5-29D2474AC4EF@microsoft.com... >I have read every article I can find and it all looks easy, but my site >just > doesn't lock down. I really need some help here. My goal is to allow > only > certain users acces to this web site. The problem is that every user in > my > AD can go to this page even though they shouldn't have access. The > password > page comes up, but they just have to put in their user ID. In the IIS > Manager, Default Web Site, Directory Security, Authentication and Access > Control, the only box that is checked is Basic Authentication (I have SSL > on > this box), and the Default domain and Relm both have my Domain Name. On > the > wwwroot, the rights are > web1\Administrators - Full Control > MyDomain\web1 Access Users - R & E, L, R > CREATOR OWNER - Special Permissions > SYSTEM - Full Control > web1\Users - R & E, L, R, Special Permissions > > Thanks in advance. > > Steve If I remove CLEAR TEXT and add AUTHENTICATED USERS, it has no affect. Any
user can get in. If I remove the Web1\Users completely from the security, it still allows the user to pass to the web site, the login program just doesn't run. Show quoteHide quote "stebe" wrote: > I have read every article I can find and it all looks easy, but my site just > doesn't lock down. I really need some help here. My goal is to allow only > certain users acces to this web site. The problem is that every user in my > AD can go to this page even though they shouldn't have access. The password > page comes up, but they just have to put in their user ID. In the IIS > Manager, Default Web Site, Directory Security, Authentication and Access > Control, the only box that is checked is Basic Authentication (I have SSL on > this box), and the Default domain and Relm both have my Domain Name. On the > wwwroot, the rights are > web1\Administrators - Full Control > MyDomain\web1 Access Users - R & E, L, R > CREATOR OWNER - Special Permissions > SYSTEM - Full Control > web1\Users - R & E, L, R, Special Permissions > > Thanks in advance. > > Steve Steve,
I'm jumping in middle of the thread without reading the previous posts, so forgive me if I'm being redundant with something already said. The problem seems to be that the NTFS permissions on the folder allows any authenticated user to read it. probably, either "WEB1\Users" or "MyDomain\Web 1 Access Users" groups has "Authenticated Users" or "Domain\Users" groups as members. My suggestion to you in order to properly setup the NTFS permissions (use a test folder before applying this in the current folder :P): 1-Remove all NTFS permissions from the folder you want to restrict access, except for Administrators. You'll have to prevent the folder from inheriting parent permissions. 2-In "Administrative Tools - >Local Security Police", enable audting for object access failures. Don't enable the success object acces to avoid filling the event viewer with garbage. Remember to reload the police to make sure it's in effect. 3-on the restricted folder, add aduting permissions to Everyone (use the Advanced button on the Folder Permissions form). Make sure you'll propagate this to childrens. 4-Try to access the resources on the folder with some authorized test user, you'll get a 403 Forbidden. Go to the Event Viewer and check the Event viewer. 5-Add required permissions (usually Read and Execute). You may use the "Effective permisions tab" from "Advanced Button" to check if your user will have the required permissions. Also you may find this links very usefull for you: http://www.adopenstatic.com/faq/IISRequestProcessing.aspx http://blogs.msdn.com/david.wang/archive/2005/07/14/HOWTO_Diagnose_IIS_401_Access_Denied.aspx http://blogs.msdn.com/david.wang/archive/2005/12/31/HOWTO_Basics_of_IIS6_Troubleshooting.aspx Cheers, Eric. Show quoteHide quote "stebe" <st***@discussions.microsoft.com> wrote in message news:2EE94BC5-3C51-44E9-8DD0-070EC8A379FF@microsoft.com... > If I remove CLEAR TEXT and add AUTHENTICATED USERS, it has no affect. Any > user can get in. If I remove the Web1\Users completely from the security, > it > still allows the user to pass to the web site, the login program just > doesn't > run. > > > "stebe" wrote: > >> I have read every article I can find and it all looks easy, but my site >> just >> doesn't lock down. I really need some help here. My goal is to allow >> only >> certain users acces to this web site. The problem is that every user in >> my >> AD can go to this page even though they shouldn't have access. The >> password >> page comes up, but they just have to put in their user ID. In the IIS >> Manager, Default Web Site, Directory Security, Authentication and Access >> Control, the only box that is checked is Basic Authentication (I have SSL >> on >> this box), and the Default domain and Relm both have my Domain Name. On >> the >> wwwroot, the rights are >> web1\Administrators - Full Control >> MyDomain\web1 Access Users - R & E, L, R >> CREATOR OWNER - Special Permissions >> SYSTEM - Full Control >> web1\Users - R & E, L, R, Special Permissions >> >> Thanks in advance. >> >> Steve FIXED! Thanks for all the awesome advice!!!!! What I found was that the
local WEB1\Users group included NT Authority\Authenticated Users. I removed that group and now security works as advertised. Thanks again to all who replied. -Steve Show quoteHide quote "stebe" wrote: > I have read every article I can find and it all looks easy, but my site just > doesn't lock down. I really need some help here. My goal is to allow only > certain users acces to this web site. The problem is that every user in my > AD can go to this page even though they shouldn't have access. The password > page comes up, but they just have to put in their user ID. In the IIS > Manager, Default Web Site, Directory Security, Authentication and Access > Control, the only box that is checked is Basic Authentication (I have SSL on > this box), and the Default domain and Relm both have my Domain Name. On the > wwwroot, the rights are > web1\Administrators - Full Control > MyDomain\web1 Access Users - R & E, L, R > CREATOR OWNER - Special Permissions > SYSTEM - Full Control > web1\Users - R & E, L, R, Special Permissions > > Thanks in advance. > > Steve 
Other interesting topics
Network/Web Site Authentication
Network service default permissions Virtual Directory On UNC Share Not Writable changing "CN" name How do you restrict access to directory below parent dir with anon access? Domain Guests Grant Users Permissions to Modify IIS without Having Full Admin Ri automatic login with current username and password Application Pool Identity You are not authorized to view this page |
|||||||||||||||||||||||
