Solved

Setting password access in IIS6 website subfolders

Posted on 2008-06-19
11
511 Views
Last Modified: 2012-08-13
We have websites setup on a Windows 2003 Web edition using IIS6.  Two of the websites require an admin folder to have passwords to allow access to the folders.  Each website is in its own directory under a \Webs folder.

The standard  security permissions are set on the "\webs" folder and subfolder.  
They are:
SERVER\Administrator -> Full Control
Creator Owner                -> Special
System                             -> Full Control
SERVER\Users               -> Read & Execute, List Folder Contents, Read

I have created two new user accounts UserA and UserB and removed them from the Users group.

In the IIS6 snap-in I have set the properties of each \admin folder by un-checking enable anonymous access then going into permissions and adding the users to (A or B) to their associated website.

In both websites accessing the www.domain.com\admin\ folder prompts for a username and password and will allow access if supplied.  However, UserA can use their username/password in UserB's website and UserB can use their username/password to access UserA's admin folder.

Can anyone explain to me what I am doing wrong and more imprortantly how to correct this?  Each user should only have access to their domain's admin sub-folder.

Thank you for your time.
0
Comment
Question by:endpointnet
  • 5
  • 4
11 Comments
 
LVL 17

Expert Comment

by:Andres Perales
ID: 21825900
You could try an explict deny on one user to the web he should not access.
0
 

Author Comment

by:endpointnet
ID: 21826109
Although setting an explicit deny for the users not allowed access to each particular web does work it is administratively cumbersome and fraught with human error as we add more websites and the accounts grow (remembering to add all users NOT allowed to the permissions).  Is there a way I can deny all for a sub-folder in a website and then allow just the specific users for that subfolder?
0
 
LVL 17

Expert Comment

by:Andres Perales
ID: 21826134
If I could ask a question, what type of information is being saved on these websites?  Or are they truely websites?  If it is just a place to store documents and such maybe a better solution would be something else....
0
Enterprise Mobility and BYOD For Dummies

Like “For Dummies” books, you can read this in whatever order you choose and learn about mobility and BYOD; and how to put a competitive mobile infrastructure in place. Developed for SMBs and large enterprises alike, you will find helpful use cases, planning, and implementation.

 

Author Comment

by:endpointnet
ID: 21826466
They are web sites - web pages. The server is running Cold Fusion and the \admin folders are the CF web pages that allow the website owners to add content to the website's database.  We used to run another webserver product (Website Pro) and it was a simple matter to add user access through the webserver software.   I am switching to IIS6 as we migrate to Win2003 because the Website Pro product is end of life.

This should be a simple matter of setting permissions however I am obviously missing or misunderstandning something in how IIS6 works with the NTFS permissions.
0
 
LVL 17

Expert Comment

by:Andres Perales
ID: 21826546
Maybe implementing webdav would be a better solution for you.  The linked document is a good read...just an fyi.

http://www.windowsnetworking.com/articles_tutorials/WebDAV-IIS.html
0
 

Author Comment

by:endpointnet
ID: 21826863
Implementing webdav is not the solution to this particular problem because the \admin folders contain a custom (for each website) web-based content management system that is written in Cold Fusion (a web scripting language like ASP) to allow each website owner to complete forms that populate a database.

The more I play with this it appears as if I have a fundmental misunderstanding of NTFS permissions as to how they work with IIS6. I say this because I have found that if I add any user to the machine then they have access to any and all of the \Admin folders even if they have not been granted explicit access in the permissions.  Removing them from the USERS group has no effect.
0
 
LVL 17

Accepted Solution

by:
Andres Perales earned 250 total points
ID: 21826883
Check the folder permissions for the admin folders what do you have listed in there...you have to remember also, many folders inherit their permissions from a parent folder too...
0
 

Author Comment

by:endpointnet
ID: 21827103
It appears as if I was misunderstanding the role of the USERS group in this regard.  The solution appears to be to remove the inheritable permissions then copy them for the \admin folder.

This was what I did to make it work. Please advise if my application is incorrect or leave a security hole open.

Step 1: I added the IIS_WPG and the IUSR_{server} accounts to the \Webs folder which is the top node for all the websites.

Step 2: Open the IIS snap-in and right click on the \Admin folder within the website.  Select Permissions > Advanced > Uncheck "Allow Interitable permissions" then click "copy"

Step 3: In the IIS snap-in right click again on the \admin  folder and add the user acount who should be granded access and then remove the Users group from the permissions for that folder.

This allowed all the function of the content management tool to operate and only allows the specific user to access that folder of the website.
0
 
LVL 17

Expert Comment

by:Andres Perales
ID: 21833091
That sounds good...and should work out for you...
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
HTTP to HTTPS but have 2 sub sites 8 18
IIs block files web.config 6 140
Terminating connections by ip address 2 61
powershell - detection of system errors 3 41
First of all, clustering IIS is something you should rarely consider doing. In almost all cases, Microsoft Network Load Balancing (NLB) (http://technet.microsoft.com/en-us/library/cc758834(WS.10).aspx) is a much better solution when you need to p…
If you don't have the right permissions set for your WordPress location in IIS, you won't be able to perform automatic updates. Here's how to fix the problem.
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …

828 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question