Link to home
Start Free TrialLog in
Avatar of dpmoney
dpmoneyFlag for United States of America

asked on

IIS - Block Access to ASPX Page via AD Group Membership

Hi Experts,

QUESTION

How can we ensure that ONLY people who are part of the ExecutiveWeb group can load ASPX pages from /DotNet/Executive folder when prompted via Basic Authentication?


BACKGROUND INFO

This is an INTRANET site being migrated from a 2003 server to 2012 R2
It is 99% working properly - but one security piece is not
The site contains a mixture of classic ASP and ASP.net pages
This question is specific to the ASP.net portion of the site
Application Pool runs under a domain user account (e.g. CorpWebID)
The CLR is .NET 4.0
DotNet folder is an application housing all aspx files
Under DotNet folder, there is a folder called Executive with restricted access pages - entire Executive folder is locked by custom ACL (e.g. domain users group removed)
Example directory structure is as follows:

Default WebSite
default.asp
executivemenu.asp
- DotNet Folder   (the Application folder - contains all the aspx files)
--Executive Folder    (locked down by ACL - group membership)
---execstats.aspx

Entire site uses SSL (again this is internal only)

Anonymous authentication is disabled on the /DotNet/Executive folder - only thing enabled is "Basic Authentication" to force logon

The Executive folder is locked down by ACL so only people in a "ExecutiveWeb" AD group should be able to access files

The CorpWebID is also on the Executive folder's ACL list - we found it doesn't work properly otherwise because Application Pool's Identity ID is CorpWebID.  No one authenticates with this ID - it is basically a service account.

Access to the executive folder's pages is largely handled via a main menu that is classic ASP (executivemenu.asp) and hyperlinks for executive ASP.net pages point to the /DotNet/Executive folder.

When prompted to log into the ExecutiveMenu - if you are not in the ExecutiveWeb group - it stops you like it should.  Most people would back off if they fail authentication for the ExecutiveMenu.asp page.  

However, internal testing prior to migration has detected that if someone were to type in the exact URL of a page under /DotNet/Executive - for example, executivestats.aspx - they get prompted for authentication - and as long as they type in ANY valid domain user ID and password - the page loads.

This is a problem - I know the Application Pool works under the identity ID which has been specified in settings (e.g. CorpWebID), and that is likely why the page can load.  However, I don't understand why it gets this far since the Basic Authentication of the page should determine that the random domain user we are authenticating with as a test does NOT have ACL permissions to ExecutiveStats.aspx because his ID is not in the ExecutiveWeb group.
ASKER CERTIFIED SOLUTION
Avatar of dpmoney
dpmoney
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial