Solved

Setting password access in IIS6 website subfolders

Posted on 2008-06-19
11
510 Views
Last Modified: 2012-08-13
We have websites setup on a Windows 2003 Web edition using IIS6.  Two of the websites require an admin folder to have passwords to allow access to the folders.  Each website is in its own directory under a \Webs folder.

The standard  security permissions are set on the "\webs" folder and subfolder.  
They are:
SERVER\Administrator -> Full Control
Creator Owner                -> Special
System                             -> Full Control
SERVER\Users               -> Read & Execute, List Folder Contents, Read

I have created two new user accounts UserA and UserB and removed them from the Users group.

In the IIS6 snap-in I have set the properties of each \admin folder by un-checking enable anonymous access then going into permissions and adding the users to (A or B) to their associated website.

In both websites accessing the www.domain.com\admin\ folder prompts for a username and password and will allow access if supplied.  However, UserA can use their username/password in UserB's website and UserB can use their username/password to access UserA's admin folder.

Can anyone explain to me what I am doing wrong and more imprortantly how to correct this?  Each user should only have access to their domain's admin sub-folder.

Thank you for your time.
0
Comment
Question by:endpointnet
  • 5
  • 4
11 Comments
 
LVL 17

Expert Comment

by:Andres Perales
ID: 21825900
You could try an explict deny on one user to the web he should not access.
0
 

Author Comment

by:endpointnet
ID: 21826109
Although setting an explicit deny for the users not allowed access to each particular web does work it is administratively cumbersome and fraught with human error as we add more websites and the accounts grow (remembering to add all users NOT allowed to the permissions).  Is there a way I can deny all for a sub-folder in a website and then allow just the specific users for that subfolder?
0
 
LVL 17

Expert Comment

by:Andres Perales
ID: 21826134
If I could ask a question, what type of information is being saved on these websites?  Or are they truely websites?  If it is just a place to store documents and such maybe a better solution would be something else....
0
Microsoft Certification Exam 74-409

Veeam® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.

 

Author Comment

by:endpointnet
ID: 21826466
They are web sites - web pages. The server is running Cold Fusion and the \admin folders are the CF web pages that allow the website owners to add content to the website's database.  We used to run another webserver product (Website Pro) and it was a simple matter to add user access through the webserver software.   I am switching to IIS6 as we migrate to Win2003 because the Website Pro product is end of life.

This should be a simple matter of setting permissions however I am obviously missing or misunderstandning something in how IIS6 works with the NTFS permissions.
0
 
LVL 17

Expert Comment

by:Andres Perales
ID: 21826546
Maybe implementing webdav would be a better solution for you.  The linked document is a good read...just an fyi.

http://www.windowsnetworking.com/articles_tutorials/WebDAV-IIS.html
0
 

Author Comment

by:endpointnet
ID: 21826863
Implementing webdav is not the solution to this particular problem because the \admin folders contain a custom (for each website) web-based content management system that is written in Cold Fusion (a web scripting language like ASP) to allow each website owner to complete forms that populate a database.

The more I play with this it appears as if I have a fundmental misunderstanding of NTFS permissions as to how they work with IIS6. I say this because I have found that if I add any user to the machine then they have access to any and all of the \Admin folders even if they have not been granted explicit access in the permissions.  Removing them from the USERS group has no effect.
0
 
LVL 17

Accepted Solution

by:
Andres Perales earned 250 total points
ID: 21826883
Check the folder permissions for the admin folders what do you have listed in there...you have to remember also, many folders inherit their permissions from a parent folder too...
0
 

Author Comment

by:endpointnet
ID: 21827103
It appears as if I was misunderstanding the role of the USERS group in this regard.  The solution appears to be to remove the inheritable permissions then copy them for the \admin folder.

This was what I did to make it work. Please advise if my application is incorrect or leave a security hole open.

Step 1: I added the IIS_WPG and the IUSR_{server} accounts to the \Webs folder which is the top node for all the websites.

Step 2: Open the IIS snap-in and right click on the \Admin folder within the website.  Select Permissions > Advanced > Uncheck "Allow Interitable permissions" then click "copy"

Step 3: In the IIS snap-in right click again on the \admin  folder and add the user acount who should be granded access and then remove the Users group from the permissions for that folder.

This allowed all the function of the content management tool to operate and only allows the specific user to access that folder of the website.
0
 
LVL 17

Expert Comment

by:Andres Perales
ID: 21833091
That sounds good...and should work out for you...
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Debug Tools to analyse IIS process: This article focus on taking memory dumps from IIS to determine which code is taking more time and to analyse which calls hangs/causes more CPU usage. To take dumps,download the following. Install1: To st…
Preparing an email is something we should all take special care with – especially when the email is for somebody you may not know very well. The pressures of everyday working life stacked with a hectic office environment can make this a real challen…
This Micro Tutorial demonstrates using Microsoft Excel pivot tables, how to reverse engineer competitors' marketing strategies through backlinks.
Nobody understands Phishing better than an anti-spam company. That’s why we are providing Phishing Awareness Training to our customers. According to a report by Verizon, only 3% of targeted users report malicious emails to management. With compan…

786 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question