• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 521
  • Last Modified:

Setting password access in IIS6 website subfolders

We have websites setup on a Windows 2003 Web edition using IIS6.  Two of the websites require an admin folder to have passwords to allow access to the folders.  Each website is in its own directory under a \Webs folder.

The standard  security permissions are set on the "\webs" folder and subfolder.  
They are:
SERVER\Administrator -> Full Control
Creator Owner                -> Special
System                             -> Full Control
SERVER\Users               -> Read & Execute, List Folder Contents, Read

I have created two new user accounts UserA and UserB and removed them from the Users group.

In the IIS6 snap-in I have set the properties of each \admin folder by un-checking enable anonymous access then going into permissions and adding the users to (A or B) to their associated website.

In both websites accessing the www.domain.com\admin\ folder prompts for a username and password and will allow access if supplied.  However, UserA can use their username/password in UserB's website and UserB can use their username/password to access UserA's admin folder.

Can anyone explain to me what I am doing wrong and more imprortantly how to correct this?  Each user should only have access to their domain's admin sub-folder.

Thank you for your time.
0
endpointnet
Asked:
endpointnet
  • 5
  • 4
1 Solution
 
Andres PeralesCommented:
You could try an explict deny on one user to the web he should not access.
0
 
endpointnetAuthor Commented:
Although setting an explicit deny for the users not allowed access to each particular web does work it is administratively cumbersome and fraught with human error as we add more websites and the accounts grow (remembering to add all users NOT allowed to the permissions).  Is there a way I can deny all for a sub-folder in a website and then allow just the specific users for that subfolder?
0
 
Andres PeralesCommented:
If I could ask a question, what type of information is being saved on these websites?  Or are they truely websites?  If it is just a place to store documents and such maybe a better solution would be something else....
0
Get your Disaster Recovery as a Service basics

Disaster Recovery as a Service is one go-to solution that revolutionizes DR planning. Implementing DRaaS could be an efficient process, easily accessible to non-DR experts. Learn about monitoring, testing, executing failovers and failbacks to ensure a "healthy" DR environment.

 
endpointnetAuthor Commented:
They are web sites - web pages. The server is running Cold Fusion and the \admin folders are the CF web pages that allow the website owners to add content to the website's database.  We used to run another webserver product (Website Pro) and it was a simple matter to add user access through the webserver software.   I am switching to IIS6 as we migrate to Win2003 because the Website Pro product is end of life.

This should be a simple matter of setting permissions however I am obviously missing or misunderstandning something in how IIS6 works with the NTFS permissions.
0
 
Andres PeralesCommented:
Maybe implementing webdav would be a better solution for you.  The linked document is a good read...just an fyi.

http://www.windowsnetworking.com/articles_tutorials/WebDAV-IIS.html
0
 
endpointnetAuthor Commented:
Implementing webdav is not the solution to this particular problem because the \admin folders contain a custom (for each website) web-based content management system that is written in Cold Fusion (a web scripting language like ASP) to allow each website owner to complete forms that populate a database.

The more I play with this it appears as if I have a fundmental misunderstanding of NTFS permissions as to how they work with IIS6. I say this because I have found that if I add any user to the machine then they have access to any and all of the \Admin folders even if they have not been granted explicit access in the permissions.  Removing them from the USERS group has no effect.
0
 
Andres PeralesCommented:
Check the folder permissions for the admin folders what do you have listed in there...you have to remember also, many folders inherit their permissions from a parent folder too...
0
 
endpointnetAuthor Commented:
It appears as if I was misunderstanding the role of the USERS group in this regard.  The solution appears to be to remove the inheritable permissions then copy them for the \admin folder.

This was what I did to make it work. Please advise if my application is incorrect or leave a security hole open.

Step 1: I added the IIS_WPG and the IUSR_{server} accounts to the \Webs folder which is the top node for all the websites.

Step 2: Open the IIS snap-in and right click on the \Admin folder within the website.  Select Permissions > Advanced > Uncheck "Allow Interitable permissions" then click "copy"

Step 3: In the IIS snap-in right click again on the \admin  folder and add the user acount who should be granded access and then remove the Users group from the permissions for that folder.

This allowed all the function of the content management tool to operate and only allows the specific user to access that folder of the website.
0
 
Andres PeralesCommented:
That sounds good...and should work out for you...
0

Featured Post

Fill in the form and get your FREE NFR key NOW!

Veeam is happy to provide a FREE NFR server license to certified engineers, trainers, and bloggers.  It allows for the non‑production use of Veeam Agent for Microsoft Windows. This license is valid for five workstations and two servers.

  • 5
  • 4
Tackle projects and never again get stuck behind a technical roadblock.
Join Now