Okay, I have created a web site that is open to the public, yet there are
pieces that need username/passwords to be able to get in, at least I
thought.

NTFS Permissions are set so that only members of a particular group can get
to this directory, IIS Admin has this directory set to not allow Anonymous
access, yet people can get in.  Here's the scenerio:

1.  User is created in AD and put into a particular group (i.e. NO-Access).
2.  User (member of NO-Access group) goes to part of my web site and it
comes up and prompts for a username/password.
3.  If the user types in the username and password, they can get in.  If
they click on cancel, then they get the 401.2 (unauthorized) error, which is
what I would expect.

I'm baffled.  I've checked the effective permissions for this user and
according to NT, they do not any rights to the directory or the file in
question, yet they can still get in.  The error log shows error 200 0, which
means they got in with a valid username/password.

The environment is:  Windows 2003 (fully patched), IIS6 and NTFS for the
drives.

HELP!!!

thanks,
Tom

[ Post a follow-up to this message ]

What are the NTFS permissions for the file/folder in question?

Cheers
Ken


"Tom Pennington" <NONEt2pennington@comcast.net> wrote in message
news:ummdzZkWEHA.1368@TK2MSFTNGP10.phx.gbl...
: Okay, I have created a web site that is open to the public, yet there are
: pieces that need username/passwords to be able to get in, at least I
: thought.
:
: NTFS Permissions are set so that only members of a particular group can
get
: to this directory, IIS Admin has this directory set to not allow Anonymous
: access, yet people can get in.  Here's the scenerio:
:
: 1.  User is created in AD and put into a particular group (i.e.
NO-Access).
: 2.  User (member of NO-Access group) goes to part of my web site and it
: comes up and prompts for a username/password.
: 3.  If the user types in the username and password, they can get in.  If
: they click on cancel, then they get the 401.2 (unauthorized) error, which
is
: what I would expect.
:
: I'm baffled.  I've checked the effective permissions for this user and
: according to NT, they do not any rights to the directory or the file in
: question, yet they can still get in.  The error log shows error 200 0,
which
: means they got in with a valid username/password.
:
: The environment is:  Windows 2003 (fully patched), IIS6 and NTFS for the
: drives.
:
: HELP!!!
:
: thanks,
: Tom
:
:

[ Post a follow-up to this message ]

Administrator:  Full Access
IUSR_Servername:  Deny Full Access



"Ken Schaefer" <kenREMOVE@THISadOpenStatic.com> wrote in message
news:%23WKM7fmWEHA.500@TK2MSFTNGP09.phx.gbl...
> What are the NTFS permissions for the file/folder in question?
>
> Cheers
> Ken
>
>
> "Tom Pennington" <NONEt2pennington@comcast.net> wrote in message
> news:ummdzZkWEHA.1368@TK2MSFTNGP10.phx.gbl...
> : Okay, I have created a web site that is open to the public, yet there
are
> : pieces that need username/passwords to be able to get in, at least I
> : thought.
> :
> : NTFS Permissions are set so that only members of a particular group can
> get
> : to this directory, IIS Admin has this directory set to not allow
Anonymous
> : access, yet people can get in.  Here's the scenerio:
> :
> : 1.  User is created in AD and put into a particular group (i.e.
> NO-Access).
> : 2.  User (member of NO-Access group) goes to part of my web site and it
> : comes up and prompts for a username/password.
> : 3.  If the user types in the username and password, they can get in.  If
> : they click on cancel, then they get the 401.2 (unauthorized) error,
which
> is
> : what I would expect.
> :
> : I'm baffled.  I've checked the effective permissions for this user and
> : according to NT, they do not any rights to the directory or the file in
> : question, yet they can still get in.  The error log shows error 200 0,
> which
> : means they got in with a valid username/password.
> :
> : The environment is:  Windows 2003 (fully patched), IIS6 and NTFS for the
> : drives.
> :
> : HELP!!!
> :
> : thanks,
> : Tom
> :
> :
>
>

[ Post a follow-up to this message ]

It might be because you have anonymous access enabled.  You can diable it in
 the directory security tab while in the properties for the site.  You shoul
d see a check box that says something about allowing anonymous access.  I su
ggest right clicking on the
directories that you do not want users to have access to, and then click on 
properties.  Once there, i think you click on the directory security tab.. t
hen uncheck the allow anonymous checkbox.  I dont have IIS here to double ch
eck, but that might initia
lly solve your issue.

Overall i think it might be better to not use windows users for authenticati
on to the site.  At least right now ;)  I'd suggest creating a database to s
tore user information and code the site for user permissions.  I know this w
ill take a lot of work, but
i think that's the preferred practice.  Most people do not give out user log
ins to people that are internet browsers.  This might cause some interesting
 web site compromise if the user hacks your site.  If they hack your site, t
hey will be able to get at
your system via a user login, which is bad.  Microsoft already greatly restr
icts the anonymous user from accessing the system.  users have more abilitie
s within the system.

I wouldnt be surprised that 5 years down the road (one more server OS releas
e by microsoft) that they will be able to integrate AD to handle access righ
ts for different users on a web site.

This is mainly my opinion, if anything know's or thinks otherwise, feel free
 to speak up.  I'm always ready to learn something new 

"Tom Pennington" wrote:

> Okay, I have created a web site that is open to the public, yet there are
> pieces that need username/passwords to be able to get in, at least I
> thought.
>
> NTFS Permissions are set so that only members of a particular group can ge
t
> to this directory, IIS Admin has this directory set to not allow Anonymous
> access, yet people can get in.  Here's the scenerio:
>
> 1.  User is created in AD and put into a particular group (i.e. NO-Access)
.
> 2.  User (member of NO-Access group) goes to part of my web site and it
> comes up and prompts for a username/password.
> 3.  If the user types in the username and password, they can get in.  If
> they click on cancel, then they get the 401.2 (unauthorized) error, which 
is
> what I would expect.
>
> I'm baffled.  I've checked the effective permissions for this user and
> according to NT, they do not any rights to the directory or the file in
> question, yet they can still get in.  The error log shows error 200 0, whi
ch
> means they got in with a valid username/password.
>
> The environment is:  Windows 2003 (fully patched), IIS6 and NTFS for the
> drives.
>
> HELP!!!
>
> thanks,
> Tom
>
>
>

[ Post a follow-up to this message ]

After digging around a bit, I actually found the problem.  There is a know
issue when using Coldfusion MX and IIS with NTFS permissions set.
Basically, CF will bypass the NTFS permissions and allow ANY user to view
data even though you have specifically denied access to them at the NTFS
level and the IIS level.

It's a weird problem and hard to explain.  Here's the link that explains the
problem:
http://www.macromedia.com/devnet/se.../mpsb03-02.html

Thanks everyone for the help.

Tom


"Chris Martin" <Chris Martin@discussions.microsoft.com> wrote in message
news:6FFBFFBD-9134-486C-986F-E4A9D38DA0EB@microsoft.com...
> It might be because you have anonymous access enabled.  You can diable it
in the directory security tab while in the properties for the site.  You
should see a check box that says something about allowing anonymous access.
I suggest right clicking on the directories that you do not want users to
have access to, and then click on properties.  Once there, i think you click
on the directory security tab.. then uncheck the allow anonymous checkbox.
I dont have IIS here to double check, but that might initially solve your
issue.
>
> Overall i think it might be better to not use windows users for
authentication to the site.  At least right now ;)  I'd suggest creating a
database to store user information and code the site for user permissions.
I know this will take a lot of work, but i think that's the preferred
practice.  Most people do not give out user logins to people that are
internet browsers.  This might cause some interesting web site compromise if
the user hacks your site.  If they hack your site, they will be able to get
at your system via a user login, which is bad.  Microsoft already greatly
restricts the anonymous user from accessing the system.  users have more
abilities within the system.
>
> I wouldnt be surprised that 5 years down the road (one more server OS
release by microsoft) that they will be able to integrate AD to handle
access rights for different users on a web site.
>
> This is mainly my opinion, if anything know's or thinks otherwise, feel
free to speak up.  I'm always ready to learn something new [vbcol=seagreen]
>
> "Tom Pennington" wrote:
> 
are[vbcol=seagreen] 
get[vbcol=seagreen] 
Anonymous[vbcol=seagreen] 
NO-Access).[vbcol=seagreen] 
which is[vbcol=seagreen] 
which[vbcol=seagreen] 

[ Post a follow-up to this message ]