|
Home > Archive > IIS Server Security > January 2005 > IIS6 and host header value
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
IIS6 and host header value
|
|
| Scott Dorsett 2005-01-21, 5:52 pm |
| I have a Windows Server 2003 Standard Edition on which I have two web sites.
The default web site and a second web (we'll call it testsite) using a host
header value. Both of these are running on a corporate intranet.
The problem is that I have removed anonymous access for testsite and am
using Integrated Windows Authentication, and set NTFS security so that only a
small group of users should be able to access testsite.
However, every user in the domain is able to access the site.
I'm wondering if I'm overlooking something obvious? Thanks in advance.
| |
| Eric Rodriguez 2005-01-22, 2:47 am |
| What's the value for the host header and what are the users typing to gain
access to the site? Where is the content for the site located? Is it the
same location that the Default Website points at? Does the IUSR account
still have read access to the content you are trying to restrict?
A good test might be to stop the default site, only leaving "testsite"
running, and see if the anonymous access is still allowed, or if your users
can get any response at all.
Another thing to check is if they are browsing directly to a v-dir or file
that DOES allow anonymous access.
HTH,
~Eric
This posting is provided "AS IS" with no warranties, and confers no rights.
You assume all risk for your use. © 2005 Microsoft Corporation. All rights
reserved.
| |
| Scott Dorsett 2005-01-23, 2:48 am |
| The value for the host header site is testsite.
Users aren't having to enter anything to access the site. They are never
prompted to present credentials.
The content for the second web site is in a totally different directory
structure and is no where near the directory structure of the original web
site.
I stopped the default web site to see how it would impact testsite. It had
no impact on the site at all. All users across the domain can still access
the site.
I can even look at the effective permission on a user and they show that the
particular user has no NTFS rights to the testsite structure, yet the user
can access the site without being prompted for credentials.
"Eric Rodriguez" wrote:
> What's the value for the host header and what are the users typing to gain
> access to the site? Where is the content for the site located? Is it the
> same location that the Default Website points at? Does the IUSR account
> still have read access to the content you are trying to restrict?
>
> A good test might be to stop the default site, only leaving "testsite"
> running, and see if the anonymous access is still allowed, or if your users
> can get any response at all.
>
> Another thing to check is if they are browsing directly to a v-dir or file
> that DOES allow anonymous access.
>
> HTH,
>
> ~Eric
>
> This posting is provided "AS IS" with no warranties, and confers no rights.
> You assume all risk for your use. © 2005 Microsoft Corporation. All rights
> reserved.
>
>
| |
| Jeff Cochran 2005-01-23, 5:50 pm |
| On Sat, 22 Jan 2005 20:23:02 -0800, "Scott Dorsett"
<highway1@news.postalias> wrote:
>The value for the host header site is testsite.
>Users aren't having to enter anything to access the site. They are never
>prompted to present credentials.
>
>The content for the second web site is in a totally different directory
>structure and is no where near the directory structure of the original web
>site.
>
>I stopped the default web site to see how it would impact testsite. It had
>no impact on the site at all. All users across the domain can still access
>the site.
>
>I can even look at the effective permission on a user and they show that the
>particular user has no NTFS rights to the testsite structure, yet the user
>can access the site without being prompted for credentials.
Are users authenticating on the second site? To a Windows account?
Jeff
[vbcol=seagreen]
>"Eric Rodriguez" wrote:
>
| |
| Scott Dorsett 2005-01-23, 5:50 pm |
| Yes, users are successfully authenticating on the second site. I'm able to
confirm this in the security logs.
"Jeff Cochran" wrote:
> On Sat, 22 Jan 2005 20:23:02 -0800, "Scott Dorsett"
> <highway1@news.postalias> wrote:
>
>
> Are users authenticating on the second site? To a Windows account?
>
> Jeff
>
>
>
>
|
|
|
|
|