|
Home > Archive > IIS Server Security > August 2005 > restricting access in IIS6 with NTFS
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
restricting access in IIS6 with NTFS
|
|
|
| Hi,
I am trying to restrict a simple html web page (no written security around
it) to a subset of the domain users. In IIS, I have de-selected the Anonymous
User and selected Win Integrated.
For folder permissions where the html page is located, I have an Admin group
and a User group. The User group contains NT Authority/Authenticated Users
(S-1-5-11), NT Authority/Interactive(S-1-5-4) and a list of users that will
be allowed access.
When I try to have someone not in the list of specific users, they can bring
up the page. Is this b/c of the NT Authority/Authenticated Users (S-1-5-11),
NT Authority/Interactive(S-1-5-4)? Does this allow all users on the domain to
access the page? And if so, can I remove them?
Thanks,
GCF
| |
| David Wang [Msft] 2005-08-22, 5:59 pm |
| This really isn't an IIS question. It's a basic Windows ACL question.
If you want to restrict access to a resource to a certain subset, then you
should only have the ACLs for that subset on the resource.
In your case, it is "Authenticated Users" that is allowing additional users
access. Interactive relates to how a user logged onto the server; IIS does
not use interactive logon.
However, if a user that is NOT in that subset can log onto the server
machine itself, they will have access to the content. This is why physical
security is also important for a server...
--
//David
IIS
http://blogs.msdn.com/David.Wang
This posting is provided "AS IS" with no warranties, and confers no rights.
//
"GCF" <GCF@discussions.microsoft.com> wrote in message
news:B4A0BA54-F029-4931-9DBF-B6031EEBB7BF@microsoft.com...
Hi,
I am trying to restrict a simple html web page (no written security around
it) to a subset of the domain users. In IIS, I have de-selected the
Anonymous
User and selected Win Integrated.
For folder permissions where the html page is located, I have an Admin group
and a User group. The User group contains NT Authority/Authenticated Users
(S-1-5-11), NT Authority/Interactive(S-1-5-4) and a list of users that will
be allowed access.
When I try to have someone not in the list of specific users, they can bring
up the page. Is this b/c of the NT Authority/Authenticated Users (S-1-5-11),
NT Authority/Interactive(S-1-5-4)? Does this allow all users on the domain
to
access the page? And if so, can I remove them?
Thanks,
GCF
| |
|
| Sorry if I posted in the wrong forum, but you answered my question and we
have solved the problem. Thanks!
"David Wang [Msft]" wrote:
> This really isn't an IIS question. It's a basic Windows ACL question.
>
> If you want to restrict access to a resource to a certain subset, then you
> should only have the ACLs for that subset on the resource.
>
> In your case, it is "Authenticated Users" that is allowing additional users
> access. Interactive relates to how a user logged onto the server; IIS does
> not use interactive logon.
>
> However, if a user that is NOT in that subset can log onto the server
> machine itself, they will have access to the content. This is why physical
> security is also important for a server...
>
> --
> //David
> IIS
> http://blogs.msdn.com/David.Wang
> This posting is provided "AS IS" with no warranties, and confers no rights.
> //
> "GCF" <GCF@discussions.microsoft.com> wrote in message
> news:B4A0BA54-F029-4931-9DBF-B6031EEBB7BF@microsoft.com...
> Hi,
>
> I am trying to restrict a simple html web page (no written security around
> it) to a subset of the domain users. In IIS, I have de-selected the
> Anonymous
> User and selected Win Integrated.
>
> For folder permissions where the html page is located, I have an Admin group
> and a User group. The User group contains NT Authority/Authenticated Users
> (S-1-5-11), NT Authority/Interactive(S-1-5-4) and a list of users that will
> be allowed access.
>
> When I try to have someone not in the list of specific users, they can bring
> up the page. Is this b/c of the NT Authority/Authenticated Users (S-1-5-11),
> NT Authority/Interactive(S-1-5-4)? Does this allow all users on the domain
> to
> access the page? And if so, can I remove them?
>
> Thanks,
> GCF
>
>
>
>
|
|
|
|
|