Securing internal IIS site

Posted on 2008-11-06
Last Modified: 2013-12-04
Is there a way to secure an internal IIS so only a select few users have access to it? If I select Integrated Windows Authentication and set security to the home directory folder for the IIS site to only some people, everyone else can still access it. If I set it to Basic Authentication then users get prompted for the credentials but still everyone can get access to the site.

P.S. This is only for intranet, so using basic authentication is not a security threat.
Question by:misengineers
    LVL 51

    Expert Comment

    I'm assuming you are setting folder permissions on the physical folders?  If yes, that doesn't control access to the site.

    There are actually three aspects to security in a web application.  One is defining authentication to access the site, two is what you can do within the site and three is the permissions of the processes you trigger when you are executing server side code.

    Windows or Basic authentication in IIS is all or nothing.  You can't control granular access.  In order to control access more precisely you have to use ASP.NET and use a web.config file with 'Windows' authentication configured to set access rights to specific folders or files.

    Author Comment

    The only thing I dont understand is when they talk about creating a directory in step 1. Where do I create it? In the sites directory? In the windows directory?

    And as far as web.config file, do I just create it in the sites directory? I see the File Location within is pointing to the site, but it's not created automatically.
    LVL 51

    Assisted Solution

    Folders in IIS are mapped to physical folders on your hard drive.  You can locate your physical web application files anywhere on the server and then assign the website root to that physical folder.  The root is where the web.config would be located.  However, .NET supports nested web.config files so you can actually add additional web.config files in sub-folders or even create alternate web applications in virtual sub-folders.
    LVL 37

    Accepted Solution

    > Where do I create it? In the sites directory? In the windows directory?

    basically, under Sites directory, by using IIS management console.

    i believe the following MSKB articles could answer your additional questions. they are suitable for IIS6 as well.

    How To Create a Virtual Directory in Internet Information Services (IIS)

    How To Create the Web.config File for an ASP.NET Application

    hope it helps,

    Author Closing Comment

    Thanks guys! That's what I needed.

    Featured Post

    IT, Stop Being Called Into Every Meeting

    Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

    Join & Write a Comment

    Suggested Solutions

    Title # Comments Views Activity
    Exchange 2007 13 18
    Voting buttons for external recipients - Outlook 2013 to 2010 4 14
    Exchange, office 365 1 7
    exchange 4 4
    Set OWA language and time zone in Exchange for individuals, all users or per database.
    Check out this infographic on what you need to make a good email signature that will work perfectly for your organization.
    In this video we show how to create a User Mailbox in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Recipients >> Mailb…
    To add imagery to an HTML email signature, you have two options available to you. You can either add a logo/image by embedding it directly into the signature or hosting it externally and linking to it. The vast majority of email clients display l…

    754 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    25 Experts available now in Live!

    Get 1:1 Help Now