Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

Setting password access in IIS6 website subfolders

Posted on 2008-06-19
11
Medium Priority
?
517 Views
Last Modified: 2012-08-13
We have websites setup on a Windows 2003 Web edition using IIS6.  Two of the websites require an admin folder to have passwords to allow access to the folders.  Each website is in its own directory under a \Webs folder.

The standard  security permissions are set on the "\webs" folder and subfolder.  
They are:
SERVER\Administrator -> Full Control
Creator Owner                -> Special
System                             -> Full Control
SERVER\Users               -> Read & Execute, List Folder Contents, Read

I have created two new user accounts UserA and UserB and removed them from the Users group.

In the IIS6 snap-in I have set the properties of each \admin folder by un-checking enable anonymous access then going into permissions and adding the users to (A or B) to their associated website.

In both websites accessing the www.domain.com\admin\ folder prompts for a username and password and will allow access if supplied.  However, UserA can use their username/password in UserB's website and UserB can use their username/password to access UserA's admin folder.

Can anyone explain to me what I am doing wrong and more imprortantly how to correct this?  Each user should only have access to their domain's admin sub-folder.

Thank you for your time.
0
Comment
Question by:endpointnet
  • 5
  • 4
11 Comments
 
LVL 17

Expert Comment

by:Andres Perales
ID: 21825900
You could try an explict deny on one user to the web he should not access.
0
 

Author Comment

by:endpointnet
ID: 21826109
Although setting an explicit deny for the users not allowed access to each particular web does work it is administratively cumbersome and fraught with human error as we add more websites and the accounts grow (remembering to add all users NOT allowed to the permissions).  Is there a way I can deny all for a sub-folder in a website and then allow just the specific users for that subfolder?
0
 
LVL 17

Expert Comment

by:Andres Perales
ID: 21826134
If I could ask a question, what type of information is being saved on these websites?  Or are they truely websites?  If it is just a place to store documents and such maybe a better solution would be something else....
0
What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

 

Author Comment

by:endpointnet
ID: 21826466
They are web sites - web pages. The server is running Cold Fusion and the \admin folders are the CF web pages that allow the website owners to add content to the website's database.  We used to run another webserver product (Website Pro) and it was a simple matter to add user access through the webserver software.   I am switching to IIS6 as we migrate to Win2003 because the Website Pro product is end of life.

This should be a simple matter of setting permissions however I am obviously missing or misunderstandning something in how IIS6 works with the NTFS permissions.
0
 
LVL 17

Expert Comment

by:Andres Perales
ID: 21826546
Maybe implementing webdav would be a better solution for you.  The linked document is a good read...just an fyi.

http://www.windowsnetworking.com/articles_tutorials/WebDAV-IIS.html
0
 

Author Comment

by:endpointnet
ID: 21826863
Implementing webdav is not the solution to this particular problem because the \admin folders contain a custom (for each website) web-based content management system that is written in Cold Fusion (a web scripting language like ASP) to allow each website owner to complete forms that populate a database.

The more I play with this it appears as if I have a fundmental misunderstanding of NTFS permissions as to how they work with IIS6. I say this because I have found that if I add any user to the machine then they have access to any and all of the \Admin folders even if they have not been granted explicit access in the permissions.  Removing them from the USERS group has no effect.
0
 
LVL 17

Accepted Solution

by:
Andres Perales earned 1000 total points
ID: 21826883
Check the folder permissions for the admin folders what do you have listed in there...you have to remember also, many folders inherit their permissions from a parent folder too...
0
 

Author Comment

by:endpointnet
ID: 21827103
It appears as if I was misunderstanding the role of the USERS group in this regard.  The solution appears to be to remove the inheritable permissions then copy them for the \admin folder.

This was what I did to make it work. Please advise if my application is incorrect or leave a security hole open.

Step 1: I added the IIS_WPG and the IUSR_{server} accounts to the \Webs folder which is the top node for all the websites.

Step 2: Open the IIS snap-in and right click on the \Admin folder within the website.  Select Permissions > Advanced > Uncheck "Allow Interitable permissions" then click "copy"

Step 3: In the IIS snap-in right click again on the \admin  folder and add the user acount who should be granded access and then remove the Users group from the permissions for that folder.

This allowed all the function of the content management tool to operate and only allows the specific user to access that folder of the website.
0
 
LVL 17

Expert Comment

by:Andres Perales
ID: 21833091
That sounds good...and should work out for you...
0

Featured Post

Veeam Task Manager for Hyper-V

Task Manager for Hyper-V provides critical information that allows you to monitor Hyper-V performance by displaying real-time views of CPU and memory at the individual VM-level, so you can quickly identify which VMs are using host resources.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

What is an ISAPI filter?   •      It's an assembly (.dll file) that can add or change the way IIS works.   •      They can be enabled globally for your web server or on a site-by-site basis.   When the IIS server receives a request, enabling the ISAPI fi…
Prologue It is often required to host multiple websites on a single instance of IIS, mostly in development environments instead of on production servers. I am sure it is not much a preferred solution on production servers but this is at least a pos…
This lesson discusses how to use a Mainform + Subforms in Microsoft Access to find and enter data for payments on orders. The sample data comes from a custom shop that builds and sells movable storage structures that are delivered to your property. …
Look below the covers at a subform control , and the form that is inside it. Explore properties and see how easy it is to aggregate, get statistics, and synchronize results for your data. A Microsoft Access subform is used to show relevant calcul…
Suggested Courses

971 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question