|
Home > Archive > IIS Server Security > June 2004 > Website allows everyone in, not matter what
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
Website allows everyone in, not matter what
|
|
| Tom Pennington 2004-06-26, 10:16 am |
| Okay, I have created a web site that is open to the public, yet there are
pieces that need username/passwords to be able to get in, at least I
thought.
NTFS Permissions are set so that only members of a particular group can get
to this directory, IIS Admin has this directory set to not allow Anonymous
access, yet people can get in. Here's the scenerio:
1. User is created in AD and put into a particular group (i.e. NO-Access).
2. User (member of NO-Access group) goes to part of my web site and it
comes up and prompts for a username/password.
3. If the user types in the username and password, they can get in. If
they click on cancel, then they get the 401.2 (unauthorized) error, which is
what I would expect.
I'm baffled. I've checked the effective permissions for this user and
according to NT, they do not any rights to the directory or the file in
question, yet they can still get in. The error log shows error 200 0, which
means they got in with a valid username/password.
The environment is: Windows 2003 (fully patched), IIS6 and NTFS for the
drives.
HELP!!!
thanks,
Tom
| |
| Ken Schaefer 2004-06-26, 10:16 am |
| What are the NTFS permissions for the file/folder in question?
Cheers
Ken
"Tom Pennington" <NONEt2pennington@comcast.net> wrote in message
news:ummdzZkWEHA.1368@TK2MSFTNGP10.phx.gbl...
: Okay, I have created a web site that is open to the public, yet there are
: pieces that need username/passwords to be able to get in, at least I
: thought.
:
: NTFS Permissions are set so that only members of a particular group can
get
: to this directory, IIS Admin has this directory set to not allow Anonymous
: access, yet people can get in. Here's the scenerio:
:
: 1. User is created in AD and put into a particular group (i.e.
NO-Access).
: 2. User (member of NO-Access group) goes to part of my web site and it
: comes up and prompts for a username/password.
: 3. If the user types in the username and password, they can get in. If
: they click on cancel, then they get the 401.2 (unauthorized) error, which
is
: what I would expect.
:
: I'm baffled. I've checked the effective permissions for this user and
: according to NT, they do not any rights to the directory or the file in
: question, yet they can still get in. The error log shows error 200 0,
which
: means they got in with a valid username/password.
:
: The environment is: Windows 2003 (fully patched), IIS6 and NTFS for the
: drives.
:
: HELP!!!
:
: thanks,
: Tom
:
:
| |
| Tom Pennington 2004-06-26, 10:16 am |
| Administrator: Full Access
IUSR_Servername: Deny Full Access
"Ken Schaefer" <kenREMOVE@THISadOpenStatic.com> wrote in message
news:%23WKM7fmWEHA.500@TK2MSFTNGP09.phx.gbl...
> What are the NTFS permissions for the file/folder in question?
>
> Cheers
> Ken
>
>
> "Tom Pennington" <NONEt2pennington@comcast.net> wrote in message
> news:ummdzZkWEHA.1368@TK2MSFTNGP10.phx.gbl...
> : Okay, I have created a web site that is open to the public, yet there
are
> : pieces that need username/passwords to be able to get in, at least I
> : thought.
> :
> : NTFS Permissions are set so that only members of a particular group can
> get
> : to this directory, IIS Admin has this directory set to not allow
Anonymous
> : access, yet people can get in. Here's the scenerio:
> :
> : 1. User is created in AD and put into a particular group (i.e.
> NO-Access).
> : 2. User (member of NO-Access group) goes to part of my web site and it
> : comes up and prompts for a username/password.
> : 3. If the user types in the username and password, they can get in. If
> : they click on cancel, then they get the 401.2 (unauthorized) error,
which
> is
> : what I would expect.
> :
> : I'm baffled. I've checked the effective permissions for this user and
> : according to NT, they do not any rights to the directory or the file in
> : question, yet they can still get in. The error log shows error 200 0,
> which
> : means they got in with a valid username/password.
> :
> : The environment is: Windows 2003 (fully patched), IIS6 and NTFS for the
> : drives.
> :
> : HELP!!!
> :
> : thanks,
> : Tom
> :
> :
>
>
| |
| Chris Martin 2004-06-26, 10:16 am |
| It might be because you have anonymous access enabled. You can diable it in the directory security tab while in the properties for the site. You should see a check box that says something about allowing anonymous access. I suggest right clicking on the
directories that you do not want users to have access to, and then click on properties. Once there, i think you click on the directory security tab.. then uncheck the allow anonymous checkbox. I dont have IIS here to double check, but that might initia
lly solve your issue.
Overall i think it might be better to not use windows users for authentication to the site. At least right now ;) I'd suggest creating a database to store user information and code the site for user permissions. I know this will take a lot of work, but
i think that's the preferred practice. Most people do not give out user logins to people that are internet browsers. This might cause some interesting web site compromise if the user hacks your site. If they hack your site, they will be able to get at
your system via a user login, which is bad. Microsoft already greatly restricts the anonymous user from accessing the system. users have more abilities within the system.
I wouldnt be surprised that 5 years down the road (one more server OS release by microsoft) that they will be able to integrate AD to handle access rights for different users on a web site.
This is mainly my opinion, if anything know's or thinks otherwise, feel free to speak up. I'm always ready to learn something new 
"Tom Pennington" wrote:
> Okay, I have created a web site that is open to the public, yet there are
> pieces that need username/passwords to be able to get in, at least I
> thought.
>
> NTFS Permissions are set so that only members of a particular group can get
> to this directory, IIS Admin has this directory set to not allow Anonymous
> access, yet people can get in. Here's the scenerio:
>
> 1. User is created in AD and put into a particular group (i.e. NO-Access).
> 2. User (member of NO-Access group) goes to part of my web site and it
> comes up and prompts for a username/password.
> 3. If the user types in the username and password, they can get in. If
> they click on cancel, then they get the 401.2 (unauthorized) error, which is
> what I would expect.
>
> I'm baffled. I've checked the effective permissions for this user and
> according to NT, they do not any rights to the directory or the file in
> question, yet they can still get in. The error log shows error 200 0, which
> means they got in with a valid username/password.
>
> The environment is: Windows 2003 (fully patched), IIS6 and NTFS for the
> drives.
>
> HELP!!!
>
> thanks,
> Tom
>
>
>
| |
| Tom Pennington 2004-06-26, 10:16 am |
| After digging around a bit, I actually found the problem. There is a know
issue when using Coldfusion MX and IIS with NTFS permissions set.
Basically, CF will bypass the NTFS permissions and allow ANY user to view
data even though you have specifically denied access to them at the NTFS
level and the IIS level.
It's a weird problem and hard to explain. Here's the link that explains the
problem:
http://www.macromedia.com/devnet/se.../mpsb03-02.html
Thanks everyone for the help.
Tom
"Chris Martin" <Chris Martin@discussions.microsoft.com> wrote in message
news:6FFBFFBD-9134-486C-986F-E4A9D38DA0EB@microsoft.com...
> It might be because you have anonymous access enabled. You can diable it
in the directory security tab while in the properties for the site. You
should see a check box that says something about allowing anonymous access.
I suggest right clicking on the directories that you do not want users to
have access to, and then click on properties. Once there, i think you click
on the directory security tab.. then uncheck the allow anonymous checkbox.
I dont have IIS here to double check, but that might initially solve your
issue.
>
> Overall i think it might be better to not use windows users for
authentication to the site. At least right now ;) I'd suggest creating a
database to store user information and code the site for user permissions.
I know this will take a lot of work, but i think that's the preferred
practice. Most people do not give out user logins to people that are
internet browsers. This might cause some interesting web site compromise if
the user hacks your site. If they hack your site, they will be able to get
at your system via a user login, which is bad. Microsoft already greatly
restricts the anonymous user from accessing the system. users have more
abilities within the system.
>
> I wouldnt be surprised that 5 years down the road (one more server OS
release by microsoft) that they will be able to integrate AD to handle
access rights for different users on a web site.
>
> This is mainly my opinion, if anything know's or thinks otherwise, feel
free to speak up. I'm always ready to learn something new [vbcol=seagreen]
>
> "Tom Pennington" wrote:
>
are[vbcol=seagreen]
get[vbcol=seagreen]
Anonymous[vbcol=seagreen]
NO-Access).[vbcol=seagreen]
which is[vbcol=seagreen]
which[vbcol=seagreen]
|
|
|
|
|