IIS Server Security - ASPs and NTFS permissions

Author

ASPs and NTFS permissions

Brian J Spencer UK

2005-01-14, 7:51 am

Hi there.

I have been successfully running ASP on a W2K IIS5.0 server using Anon
Access enabled, but would like to be able to restrict access to a particular
folder containing ASP content to a particular NTFS user group that I have set
up.

I have added this group to the particular folder (giving Full Control) and
switched off anon access and added Intergrated Windows authentication in IIS
Admin. The problem is that although users can access static content in this
folder, any attempt to run an ASP fails with a logon box appearing and
"Error: access denied apearing in the page.

Is the problem that this user group does not have permissions on the system
files used to execute the ASPs? Everything works fine under my admin account.

Thanks for any assistance,

Jeff Cochran

2005-01-14, 5:51 pm

On Fri, 14 Jan 2005 03:41:02 -0800, Brian J Spencer UK <Brian J
Spencer UK@discussions.microsoft.com> wrote:

>I have been successfully running ASP on a W2K IIS5.0 server using Anon
>Access enabled, but would like to be able to restrict access to a particular
>folder containing ASP content to a particular NTFS user group that I have set
>up.
>
>I have added this group to the particular folder (giving Full Control) and
>switched off anon access and added Intergrated Windows authentication in IIS
>Admin. The problem is that although users can access static content in this
>folder, any attempt to run an ASP fails with a logon box appearing and
>"Error: access denied apearing in the page.
>
>Is the problem that this user group does not have permissions on the system
>files used to execute the ASPs? Everything works fine under my admin account.

Possibly. Filemon from Systernals could help diagnose this.

Jeff

Brian J Spencer UK

2005-01-15, 7:47 am

Thanks for that, Jeff - unfortunately we run a very tightly controlled
network, which makes it v difficult to get diagnostic software loaded. Does
anyone have any ideas about the higher level files/folders which could be
causing these probs? As far as I understand, an ASP in IIS calls some DLLs,
etc in system folders. Would this user group have to have permissions on
these also?

Thanfs, Brian

"Jeff Cochran" wrote:

> On Fri, 14 Jan 2005 03:41:02 -0800, Brian J Spencer UK <Brian J
> Spencer UK@discussions.microsoft.com> wrote:
>
>
> Possibly. Filemon from Systernals could help diagnose this.
>
> Jeff
>

Randy [adsi4nt]

2005-01-17, 7:47 am

Brian,

Ensure that the new group you created has "Log On Locally" rights.

HTH

Randy
www.adsi4nt.com

"Brian J Spencer UK" <BrianJSpencerUK@discussions.microsoft.com> wrote in
message news:5F3B07CB-AA06-4F8C-8590-5FF79A70A7B8@microsoft.com...[vbcol=seagreen]
> Thanks for that, Jeff - unfortunately we run a very tightly controlled
> network, which makes it v difficult to get diagnostic software loaded.
> Does
> anyone have any ideas about the higher level files/folders which could be
> causing these probs? As far as I understand, an ASP in IIS calls some
> DLLs,
> etc in system folders. Would this user group have to have permissions on
> these also?
>
> Thanfs, Brian
>
> "Jeff Cochran" wrote:
>

Brian J Spencer UK

2005-01-18, 7:51 am

Randy - thanks for that.... I've now discovered that the problem lies
specifically if the ASP is trying to connect to a database through ODBC.
Standard ASPs execute OK under Integrated Authentication with a specific
group having permissions, but an attempt to run and ODBC ASP produces the
Error: Access Denied error. Does anyone have any ideas which folder(s)
file(s) need the appropriate group permissions to cure this?

Thanks!
Brian Spencer

"Randy [adsi4nt]" wrote:

> Brian,
>
> Ensure that the new group you created has "Log On Locally" rights.
>
> HTH
>
> Randy
> www.adsi4nt.com
>
> "Brian J Spencer UK" <BrianJSpencerUK@discussions.microsoft.com> wrote in
> message news:5F3B07CB-AA06-4F8C-8590-5FF79A70A7B8@microsoft.com...
>
>
>