|
Home > Archive > IIS Server Security > January 2005 > IIS6.0 & Shared Folders
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
IIS6.0 & Shared Folders
|
|
|
| Hi at all!
I've a little problem.
I've a web site with storage on a shared folder on a NAS.
The folder is shared to user's domain (Domain\IUSR_WEB).
The web site is configured to connect to the folder with (Domain\IURS_WEB).
The user is used for anonymous access too.
all work propertly, but i have to lock some file or folder for only
determinate users. So i have grant to user's domain the permission and in
IIS
configuration, under the tab 'protection directory', disabled 'anonimous
access' and i've leave 'authentication integrated windows'.
Every users' domain can still access to the files/folders....why??!!! (also
if the user don't have the permission on them!)
Any clue will be appreciated!
Thanx in advance ;))
/crino
| |
| David Wang [Msft] 2005-01-29, 7:47 am |
| Please read this URL on how UNC shares work. You did not configure what you
think:
http://www.microsoft.com/technet/pr...s/remstorg.mspx
What you want is Pass-Thru authentication to restrict access based on the
authenticated user, but you configured something that allows any
authenticated user to access resources.
What you basically did was configure IIS to access any NAS resource when
requested via this website as Domain\IUSR_WEB. You then allowed only
Integrated authentication, meaning that only authenticated users can access
this website, and when they access NAS resources, these users do so as
Domain\IUSR_WEB (as you configured). Since you already gave read access to
Domain\IUSR_Web, that is why they have read access to it.
I suggest you configure Pass-Thru authentication so that theremote
authenticated user's identity is used on the NAS resource to determine
access. Clearly, if you want to restrict access to resources, you must lock
that file/folder for a particular user and do NOT include any other
identity.
As the URL will mention, Pass-Thru authentication requires delegation, which
does not work with Integrated authentication unless the machines are in a
domain and you use protocol transitioning to use Kerberos on the backend to
make delegation work.
--
//David
IIS
http://blogs.msdn.com/David.Wang
This posting is provided "AS IS" with no warranties, and confers no rights.
//
"crino" <cseverini@aditusnet.it> wrote in message
news:VPPJd.456806$b5.21779376@news3.tin.it...
Hi at all!
I've a little problem.
I've a web site with storage on a shared folder on a NAS.
The folder is shared to user's domain (Domain\IUSR_WEB).
The web site is configured to connect to the folder with (Domain\IURS_WEB).
The user is used for anonymous access too.
all work propertly, but i have to lock some file or folder for only
determinate users. So i have grant to user's domain the permission and in
IIS
configuration, under the tab 'protection directory', disabled 'anonimous
access' and i've leave 'authentication integrated windows'.
Every users' domain can still access to the files/folders....why??!!! (also
if the user don't have the permission on them!)
Any clue will be appreciated!
Thanx in advance ;))
/crino
|
|
|
|
|