Solved

Setting password access in IIS6 website subfolders

Posted on 2008-06-19
11
513 Views
Last Modified: 2012-08-13
We have websites setup on a Windows 2003 Web edition using IIS6.  Two of the websites require an admin folder to have passwords to allow access to the folders.  Each website is in its own directory under a \Webs folder.

The standard  security permissions are set on the "\webs" folder and subfolder.  
They are:
SERVER\Administrator -> Full Control
Creator Owner                -> Special
System                             -> Full Control
SERVER\Users               -> Read & Execute, List Folder Contents, Read

I have created two new user accounts UserA and UserB and removed them from the Users group.

In the IIS6 snap-in I have set the properties of each \admin folder by un-checking enable anonymous access then going into permissions and adding the users to (A or B) to their associated website.

In both websites accessing the www.domain.com\admin\ folder prompts for a username and password and will allow access if supplied.  However, UserA can use their username/password in UserB's website and UserB can use their username/password to access UserA's admin folder.

Can anyone explain to me what I am doing wrong and more imprortantly how to correct this?  Each user should only have access to their domain's admin sub-folder.

Thank you for your time.
0
Comment
Question by:endpointnet
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 4
11 Comments
 
LVL 17

Expert Comment

by:Andres Perales
ID: 21825900
You could try an explict deny on one user to the web he should not access.
0
 

Author Comment

by:endpointnet
ID: 21826109
Although setting an explicit deny for the users not allowed access to each particular web does work it is administratively cumbersome and fraught with human error as we add more websites and the accounts grow (remembering to add all users NOT allowed to the permissions).  Is there a way I can deny all for a sub-folder in a website and then allow just the specific users for that subfolder?
0
 
LVL 17

Expert Comment

by:Andres Perales
ID: 21826134
If I could ask a question, what type of information is being saved on these websites?  Or are they truely websites?  If it is just a place to store documents and such maybe a better solution would be something else....
0
 Database Backup and Recovery Best Practices

Join Percona’s, Architect, Manjot Singh as he presents Database Backup and Recovery Best Practices (with a Focus on MySQL) on Thursday, July 27, 2017 at 11:00 am PDT / 2:00 pm EDT (UTC-7). In the case of a failure, do you know how long it will take to restore your database?

 

Author Comment

by:endpointnet
ID: 21826466
They are web sites - web pages. The server is running Cold Fusion and the \admin folders are the CF web pages that allow the website owners to add content to the website's database.  We used to run another webserver product (Website Pro) and it was a simple matter to add user access through the webserver software.   I am switching to IIS6 as we migrate to Win2003 because the Website Pro product is end of life.

This should be a simple matter of setting permissions however I am obviously missing or misunderstandning something in how IIS6 works with the NTFS permissions.
0
 
LVL 17

Expert Comment

by:Andres Perales
ID: 21826546
Maybe implementing webdav would be a better solution for you.  The linked document is a good read...just an fyi.

http://www.windowsnetworking.com/articles_tutorials/WebDAV-IIS.html
0
 

Author Comment

by:endpointnet
ID: 21826863
Implementing webdav is not the solution to this particular problem because the \admin folders contain a custom (for each website) web-based content management system that is written in Cold Fusion (a web scripting language like ASP) to allow each website owner to complete forms that populate a database.

The more I play with this it appears as if I have a fundmental misunderstanding of NTFS permissions as to how they work with IIS6. I say this because I have found that if I add any user to the machine then they have access to any and all of the \Admin folders even if they have not been granted explicit access in the permissions.  Removing them from the USERS group has no effect.
0
 
LVL 17

Accepted Solution

by:
Andres Perales earned 250 total points
ID: 21826883
Check the folder permissions for the admin folders what do you have listed in there...you have to remember also, many folders inherit their permissions from a parent folder too...
0
 

Author Comment

by:endpointnet
ID: 21827103
It appears as if I was misunderstanding the role of the USERS group in this regard.  The solution appears to be to remove the inheritable permissions then copy them for the \admin folder.

This was what I did to make it work. Please advise if my application is incorrect or leave a security hole open.

Step 1: I added the IIS_WPG and the IUSR_{server} accounts to the \Webs folder which is the top node for all the websites.

Step 2: Open the IIS snap-in and right click on the \Admin folder within the website.  Select Permissions > Advanced > Uncheck "Allow Interitable permissions" then click "copy"

Step 3: In the IIS snap-in right click again on the \admin  folder and add the user acount who should be granded access and then remove the Users group from the permissions for that folder.

This allowed all the function of the content management tool to operate and only allows the specific user to access that folder of the website.
0
 
LVL 17

Expert Comment

by:Andres Perales
ID: 21833091
That sounds good...and should work out for you...
0

Featured Post

Online Training Solution

Drastically shorten your training time with WalkMe's advanced online training solution that Guides your trainees to action. Forget about retraining and skyrocket knowledge retention rates.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you don't have the right permissions set for your WordPress location in IIS, you won't be able to perform automatic updates. Here's how to fix the problem.
When it comes to showing a 404 error page to your visitors, you do not want that generic page to show, and you especially do not want your hosting provider’s ad error page to show either. In this article, I will show you how to enable the custom 40…
Michael from AdRem Software explains how to view the most utilized and worst performing nodes in your network, by accessing the Top Charts view in NetCrunch network monitor (https://www.adremsoft.com/). Top Charts is a view in which you can set seve…
Monitoring a network: how to monitor network services and why? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the philosophy behind service monitoring and why a handshake validation is critical in network monitoring. Software utilized …

617 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question