IIS 6.0 and passwording site

I have read every article I can find and it all looks easy, but my site just
doesn't lock down. I really need some help here. My goal is to allow only
certain users acces to this web site. The problem is that every user in my
AD can go to this page even though they shouldn't have access. The password
page comes up, but they just have to put in their user ID. In the IIS
Manager, Default Web Site, Directory Security, Authentication and Access
Control, the only box that is checked is Basic Authentication (I have SSL on
this box), and the Default domain and Relm both have my Domain Name. On the
wwwroot, the rights are
web1\Administrators - Full Control
MyDomain\web1 Access Users - R & E, L, R
CREATOR OWNER - Special Permissions
SYSTEM - Full Control
web1\Users - R & E, L, R, Special Permissions

Thanks in advance.

Steve

Re: IIS 6.0 and passwording site

Use the NTFS permissions to control access for user groups just like for
shared files.
Anthony
"stebe" wrote in message
news:550041AA-11E7-4263-8FB5-29D2474AC4EF@microsoft.com...
>I have read every article I can find and it all looks easy, but my site
>just
> doesn't lock down. I really need some help here. My goal is to allow
> only
> certain users acces to this web site. The problem is that every user in
> my
> AD can go to this page even though they shouldn't have access. The
> password
> page comes up, but they just have to put in their user ID. In the IIS
> Manager, Default Web Site, Directory Security, Authentication and Access
> Control, the only box that is checked is Basic Authentication (I have SSL
> on
> this box), and the Default domain and Relm both have my Domain Name. On
> the
> wwwroot, the rights are
> web1\Administrators - Full Control
> MyDomain\web1 Access Users - R & E, L, R
> CREATOR OWNER - Special Permissions
> SYSTEM - Full Control
> web1\Users - R & E, L, R, Special Permissions
>
> Thanks in advance.
>
> Steve

Re: IIS 6.0 and passwording site

On Thu, 3 Aug 2006 11:34:02 -0700, stebe
wrote:

>I have read every article I can find and it all looks easy, but my site just
>doesn't lock down. I really need some help here. My goal is to allow only
>certain users acces to this web site. The problem is that every user in my
>AD can go to this page even though they shouldn't have access. The password
>page comes up, but they just have to put in their user ID. In the IIS
>Manager, Default Web Site, Directory Security, Authentication and Access
>Control, the only box that is checked is Basic Authentication (I have SSL on
>this box), and the Default domain and Relm both have my Domain Name. On the
>wwwroot, the rights are
>web1\Administrators - Full Control
>MyDomain\web1 Access Users - R & E, L, R
>CREATOR OWNER - Special Permissions
>SYSTEM - Full Control
>web1\Users - R & E, L, R, Special Permissions

Use Windows Integrated (not Basic) and check your group memberships.

Jeff

Re: IIS 6.0 and passwording site

remove the grant to web1\Users as this likely includes Authenticated Users
which in turn means any account in the forest that can authenticate
successfully.

"stebe" wrote in message
news:550041AA-11E7-4263-8FB5-29D2474AC4EF@microsoft.com...
>I have read every article I can find and it all looks easy, but my site
>just
> doesn't lock down. I really need some help here. My goal is to allow
> only
> certain users acces to this web site. The problem is that every user in
> my
> AD can go to this page even though they shouldn't have access. The
> password
> page comes up, but they just have to put in their user ID. In the IIS
> Manager, Default Web Site, Directory Security, Authentication and Access
> Control, the only box that is checked is Basic Authentication (I have SSL
> on
> this box), and the Default domain and Relm both have my Domain Name. On
> the
> wwwroot, the rights are
> web1\Administrators - Full Control
> MyDomain\web1 Access Users - R & E, L, R
> CREATOR OWNER - Special Permissions
> SYSTEM - Full Control
> web1\Users - R & E, L, R, Special Permissions
>
> Thanks in advance.
>
> Steve

RE: IIS 6.0 and passwording site

If I remove CLEAR TEXT and add AUTHENTICATED USERS, it has no affect. Any
user can get in. If I remove the Web1\Users completely from the security, it
still allows the user to pass to the web site, the login program just doesn't
run.


"stebe" wrote:

> I have read every article I can find and it all looks easy, but my site just
> doesn't lock down. I really need some help here. My goal is to allow only
> certain users acces to this web site. The problem is that every user in my
> AD can go to this page even though they shouldn't have access. The password
> page comes up, but they just have to put in their user ID. In the IIS
> Manager, Default Web Site, Directory Security, Authentication and Access
> Control, the only box that is checked is Basic Authentication (I have SSL on
> this box), and the Default domain and Relm both have my Domain Name. On the
> wwwroot, the rights are
> web1\Administrators - Full Control
> MyDomain\web1 Access Users - R & E, L, R
> CREATOR OWNER - Special Permissions
> SYSTEM - Full Control
> web1\Users - R & E, L, R, Special Permissions
>
> Thanks in advance.
>
> Steve

Re: IIS 6.0 and passwording site

Steve,

I'm jumping in middle of the thread without reading the previous posts,
so forgive me if I'm being redundant with something already said.
The problem seems to be that the NTFS permissions on the folder allows
any authenticated user to read it. probably, either "WEB1\Users" or
"MyDomain\Web 1 Access Users" groups has "Authenticated Users" or
"Domain\Users" groups as members.

My suggestion to you in order to properly setup the NTFS permissions
(use a test folder before applying this in the current folder :P):
1-Remove all NTFS permissions from the folder you want to restrict
access, except for Administrators. You'll have to prevent the folder from
inheriting parent permissions.
2-In "Administrative Tools - >Local Security Police", enable audting
for object access failures. Don't enable the success object acces to avoid
filling the event viewer with garbage. Remember to reload the police to make
sure it's in effect.
3-on the restricted folder, add aduting permissions to Everyone (use
the Advanced button on the Folder Permissions form). Make sure you'll
propagate this to childrens.
4-Try to access the resources on the folder with some authorized
test user, you'll get a 403 Forbidden. Go to the Event Viewer and check the
Event viewer.
5-Add required permissions (usually Read and Execute). You may use
the "Effective permisions tab" from "Advanced Button" to check if your user
will have the required permissions.

Also you may find this links very usefull for you:

http://www.adopenstatic.com/faq/IISRequestProcessing.aspx
http://blogs.msdn.com/david.wang/archive/2005/07/14/HOWTO_Di agnose_IIS_401_Access_Denied.aspx
http://blogs.msdn.com/david.wang/archive/2005/12/31/HOWTO_Ba sics_of_IIS6_Troubleshooting.aspx

Cheers,

Eric.

"stebe" wrote in message
news:2EE94BC5-3C51-44E9-8DD0-070EC8A379FF@microsoft.com...
> If I remove CLEAR TEXT and add AUTHENTICATED USERS, it has no affect. Any
> user can get in. If I remove the Web1\Users completely from the security,
> it
> still allows the user to pass to the web site, the login program just
> doesn't
> run.
>
>
> "stebe" wrote:
>
>> I have read every article I can find and it all looks easy, but my site
>> just
>> doesn't lock down. I really need some help here. My goal is to allow
>> only
>> certain users acces to this web site. The problem is that every user in
>> my
>> AD can go to this page even though they shouldn't have access. The
>> password
>> page comes up, but they just have to put in their user ID. In the IIS
>> Manager, Default Web Site, Directory Security, Authentication and Access
>> Control, the only box that is checked is Basic Authentication (I have SSL
>> on
>> this box), and the Default domain and Relm both have my Domain Name. On
>> the
>> wwwroot, the rights are
>> web1\Administrators - Full Control
>> MyDomain\web1 Access Users - R & E, L, R
>> CREATOR OWNER - Special Permissions
>> SYSTEM - Full Control
>> web1\Users - R & E, L, R, Special Permissions
>>
>> Thanks in advance.
>>
>> Steve

RE: IIS 6.0 and passwording site

FIXED! Thanks for all the awesome advice!!!!! What I found was that the
local WEB1\Users group included NT Authority\Authenticated Users. I removed
that group and now security works as advertised. Thanks again to all who
replied.

-Steve

"stebe" wrote:

> I have read every article I can find and it all looks easy, but my site just
> doesn't lock down. I really need some help here. My goal is to allow only
> certain users acces to this web site. The problem is that every user in my
> AD can go to this page even though they shouldn't have access. The password
> page comes up, but they just have to put in their user ID. In the IIS
> Manager, Default Web Site, Directory Security, Authentication and Access
> Control, the only box that is checked is Basic Authentication (I have SSL on
> this box), and the Default domain and Relm both have my Domain Name. On the
> wwwroot, the rights are
> web1\Administrators - Full Control
> MyDomain\web1 Access Users - R & E, L, R
> CREATOR OWNER - Special Permissions
> SYSTEM - Full Control
> web1\Users - R & E, L, R, Special Permissions
>
> Thanks in advance.
>
> Steve