IIS User Right

On the IIS (Windows Server 2003) I have a website wich allows anonymous
access and basic authenification. For one directory on this website I
disabled the anonymous access and in the directory security I refuse the
right to the IIS guest account. Now, like I wanted to be, a user has to sign
in, before reading the content of this directory. But every user with an
account in the domain can log in although only administrators, interactive,
network, network service has rights to access read the directory. What did I
wrong? I only want to give specific users the right to read this
web-directory. Many thanks for your help!

Re: IIS User Right

"Felix" wrote in message
news:2684419D-D173-495B-BB91-063F00B483A0@microsoft.com...
> On the IIS (Windows Server 2003) I have a website wich allows anonymous
> access and basic authenification. For one directory on this website I
> disabled the anonymous access and in the directory security I refuse the
> right to the IIS guest account. Now, like I wanted to be, a user has to
> sign
> in, before reading the content of this directory. But every user with an
> account in the domain can log in although only administrators,
> interactive,
> network, network service has rights to access read the directory. What did
> I
> wrong? I only want to give specific users the right to read this
> web-directory. Many thanks for your help!

What other NTFS permissions are assigned to the folder?

--
Tom Kaminski IIS MVP
http://www.microsoft.com/windowsserver2003/community/centers /iis/
http://mvp.support.microsoft.com/
http://www.iistoolshed.com/ - tools, scripts, and utilities for running IIS

Re: IIS User Right

Hi,

IIS will always honor the NTFS permissions. If you set permissions right
only users that you set up will have access to that folder (I guess your
users still inherit read permissions from somewhere)...

My suggestion would be to create new group and allow this group read access
(or some other permission if this group of users need it). Now remove all
other groups and users permissions from this folder (except maybe
Administrators if you want to allow them access to the files).

--
Mike
Microsoft MVP - Windows Security

"Felix" wrote in message
news:2684419D-D173-495B-BB91-063F00B483A0@microsoft.com...
> On the IIS (Windows Server 2003) I have a website wich allows anonymous
> access and basic authenification. For one directory on this website I
> disabled the anonymous access and in the directory security I refuse the
> right to the IIS guest account. Now, like I wanted to be, a user has to
> sign
> in, before reading the content of this directory. But every user with an
> account in the domain can log in although only administrators,
> interactive,
> network, network service has rights to access read the directory. What did
> I
> wrong? I only want to give specific users the right to read this
> web-directory. Many thanks for your help!

Re: IIS User Right

NTFS Permissions are set to administrators, IIS_WPG, interactive, Network,
Network Service AND System with full access and the IUSR_IIS1 all denied.

"Tom Kaminski [MVP]" wrote:

>
> What other NTFS permissions are assigned to the folder?
>
> --
> Tom Kaminski IIS MVP
> http://www.microsoft.com/windowsserver2003/community/centers /iis/
> http://mvp.support.microsoft.com/
> http://www.iistoolshed.com/ - tools, scripts, and utilities for running IIS
>
>
>

Re: IIS User Right

The only NTFS Permissions are set to administrators, IIS_WPG, interactive,
Network, Network Service AND System with full access and the IUSR_IIS1 all
denied.

"Miha Pihler [MVP]" wrote:

> Hi,
>
> IIS will always honor the NTFS permissions. If you set permissions right
> only users that you set up will have access to that folder (I guess your
> users still inherit read permissions from somewhere)...
>
> My suggestion would be to create new group and allow this group read access
> (or some other permission if this group of users need it). Now remove all
> other groups and users permissions from this folder (except maybe
> Administrators if you want to allow them access to the files).
>
> --
> Mike
> Microsoft MVP - Windows Security
>

Re: IIS User Right

Hi,

As suggested. Remove everything but Administrators and your new group that
will contain users that are allowed to have access to this site.

--
Mike
Microsoft MVP - Windows Security

"Felix" wrote in message
news:FB51428B-55DC-4FC1-A547-4FAE764CC7B4@microsoft.com...
> The only NTFS Permissions are set to administrators, IIS_WPG, interactive,
> Network, Network Service AND System with full access and the IUSR_IIS1 all
> denied.
>
> "Miha Pihler [MVP]" wrote:
>
>> Hi,
>>
>> IIS will always honor the NTFS permissions. If you set permissions right
>> only users that you set up will have access to that folder (I guess your
>> users still inherit read permissions from somewhere)...
>>
>> My suggestion would be to create new group and allow this group read
>> access
>> (or some other permission if this group of users need it). Now remove all
>> other groups and users permissions from this folder (except maybe
>> Administrators if you want to allow them access to the files).
>>
>> --
>> Mike
>> Microsoft MVP - Windows Security
>>

Re: IIS User Right

Hi,

Thanks for posting!

For the current issue, as Tom and Mike mentioned, the permission for the
IIS is depended on the NTFS permission settings for the current folder. I
suggest you remove the IIS_WPG and Network Service account and add the user
account which is allowed to access the current folder. So, the other users
can not access the current folder since they don't have permission.

Thanks for your understanding!

Regards,

Yuan Ren [MSFT]
Microsoft Online Support

Re: IIS User Right

""Yuan Ren[MSFT]"" wrote in message
news:mPP$82FLGHA.768@TK2MSFTNGXA01.phx.gbl...
> Hi,
>
> Thanks for posting!
>
> For the current issue, as Tom and Mike mentioned, the permission for the
> IIS is depended on the NTFS permission settings for the current folder. I
> suggest you remove the IIS_WPG and Network Service account and add the
> user
> account which is allowed to access the current folder. So, the other users
> can not access the current folder since they don't have permission.

Additionally, I prefer to not even list IUSR when I want to deny anonymous
access.