|
security
newsgroups
|
|||||||||||||||||||||||
|
|||||||||||||||||||||||
IIS/NTFS persmissions helpopted to go with .UDL files because they will be accessible from both Classic ASP and ASP.NET pages. They will also be stored outside of the webroot which should make them easier to restrict permissions in this environment and are still easy for appropriate people to change. The problem I'm having is that unless the individual user (or user group) has read access to the file the page can not read it to access the connection string. Ideally I'd like to have IIS allow anonymous access and then grant the IUSR_machinename user permissions to the .UDL files. This should prevent individual users from being able to browse and read the files yet still allow the system to use them. Unfortunately I have been unable to make this work. IIS6 Windows Server 2003 Classic ASP/ASP.NET IUSR_machinename has read&execute to the files IUSR_machinename is set as the account for anonymous access and the enable anonymous box is checked in Integrated Windows Authentication is checked in as well This is the error: ---------------- Provider error '80030005' Access Denied. ---------------- When I grant the users group or everyone group permissions the file will come up just fine. Any help would be greatly appreciated.
Show quote
Hide quote
"wolfeitz" <wolfe***@gmail.com> wrote in message Since the UDL files are stored outside of the web root, how will the users news:1119958853.435362.179050@g14g2000cwa.googlegroups.com... > I'm trying to lock down the connection strings on our web servers and > opted to go with .UDL files because they will be accessible from both > Classic ASP and ASP.NET pages. They will also be stored outside of the > webroot which should make them easier to restrict permissions in this > environment and are still easy for appropriate people to change. > > The problem I'm having is that unless the individual user (or user > group) has read access to the file the page can not read it to access > the connection string. > > Ideally I'd like to have IIS allow anonymous access and then grant the > IUSR_machinename user permissions to the .UDL files. This should > prevent individual users from being able to browse and read the files > yet still allow the system to use them. Unfortunately I have been > unable to make this work. > > IIS6 > Windows Server 2003 > Classic ASP/ASP.NET > > IUSR_machinename has read&execute to the files > IUSR_machinename is set as the account for anonymous access and the > enable anonymous box is checked in > Integrated Windows Authentication is checked in as well > > This is the error: > ---------------- > Provider error '80030005' > > Access Denied. > ---------------- > > When I grant the users group or everyone group permissions the file > will come up just fine. > > Any help would be greatly appreciated. be able to browse and read the files? -- Tom Kaminski IIS MVP http://www.microsoft.com/windowsserver2003/community/centers/iis/ http://mvp.support.microsoft.com/ http://www.iistoolshed.com/ - tools, scripts, and utilities for running IIS Browse to the file is not exactly what I meant.
Rather, if the user needs read permissions on the UDL file, how can I make it still inaccessible to them? At best I can have the file on a hidden share and the path somehow obscured but if they have read access on the file then I don't know how I could prevent them from getting to it. What I really want is for the IUSR_machinename account to be used when accessing the file and the user account and access never even considered. You'd think it was the easiest thing in the world however in an active directory environemtn I can't seem to get IIS to ignore the user permissions and opt for the IUSR access.
Show quote
Hide quote
"wolfeitz" <wolfe***@gmail.com> wrote in message Right, because once they authenticate, that's how it works - IUSR is out of news:1120066645.156193.305120@z14g2000cwz.googlegroups.com... > Browse to the file is not exactly what I meant. > > Rather, if the user needs read permissions on the UDL file, how can I > make it still inaccessible to them? At best I can have the file on a > hidden share and the path somehow obscured but if they have read access > on the file then I don't know how I could prevent them from getting to > it. > > What I really want is for the IUSR_machinename account to be used when > accessing the file and the user account and access never even > considered. > > You'd think it was the easiest thing in the world however in an active > directory environemtn I can't seem to get IIS to ignore the user > permissions and opt for the IUSR access. the picture. The users will not be able to directly access the UDL file if you do not put it in the web root path and you do not put it in a share. As long as it is not exposed through the web or a share it is directly inaccesible to them and only accessible through your code. -- Tom Kaminski IIS MVP http://www.microsoft.com/windowsserver2003/community/centers/iis/ http://mvp.support.microsoft.com/ http://www.iistoolshed.com/ - tools, scripts, and utilities for running IIS Ahhh - not good. I definately had a misconception about how IIS was
functioning. That option no longer being viable, do you (or anyone else) have any suggestions about the best way to secure connection strings which would work for both Classic ASP and ASP.NET? ASP.NET seems to have several very good options however I have not come across any that will work equally well with Classic ASP. 
Other interesting topics
Trying to understand this behavior, Ports in IIS
IIS/Windows Permissions/Rights Ideas on deferring authentication? AUTHORIZATION with WINDOWS AUTHENTICATION -- HELP!! Resetting IUSR user token SSL Site showing Page not found Is MBSchExt.xml a legitimate schema file ? Removing IIS Passwords Classic ASP Page not running under IIS6.0 IIS and domain security |
|||||||||||||||||||||||
