jbla9028
asked on
security on website
I have a sharepoint site that is running on IIS 6 that I'm having a security problem on (I think anyways..) I have added an SSL Certificate to the site, disabled anonymous access, and require integrated authentication at the website level.
The CTO has found that if you want to go to portal.company.com you are being prompted for credentials if you do not have NTLM enabled on your browser. He was able to grab a graphic file from a deeper directory though without authenticating. The directory/file is:
to https://portal.comany.com/_layouts/images/company_logo_220.gif
He's afraid there is other content exposed to the internet as well without authentication. How can I secure this site so ALL access must be authenticated and make files like these unretreivable without authentication?
The CTO has found that if you want to go to portal.company.com you are being prompted for credentials if you do not have NTLM enabled on your browser. He was able to grab a graphic file from a deeper directory though without authenticating. The directory/file is:
to https://portal.comany.com/_layouts/images/company_logo_220.gif
He's afraid there is other content exposed to the internet as well without authentication. How can I secure this site so ALL access must be authenticated and make files like these unretreivable without authentication?
ASKER CERTIFIED SOLUTION
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
SOLUTION
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
ASKER
What would I limit the permissions to? I copied one of the images and then removed all users from the ACL . I can still get to the file as a non authenticated user over a browser. I hit the main page and it does require me to log in.
I added anonymous access to the file and explicitly denied it read permissions. No dice!
I added anonymous access to the file and explicitly denied it read permissions. No dice!
ASKER
thanks.
ASKER
C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\12\template\ima
I don't see anonymous access in the ACL on the folder images. Should I add it an explicitly deny it? will that cause any issues you think?