Intranet Security

Here is what I want to do with IIS on a Windows 2003 server. The server is a
part of our domain.

I have a basic Intranet troubleshooting website setup in IIS.

I want to limit access to a specific group of Active Directory users. In
other words, AD users 1, 2, 3 can access the intranet website, all other
users are denied.

How can I accomplish this?

I should also note that I am rather new to IIS, so the more detail you can
provide, the better.

Thanks.

Re: Intranet Security

Hi,

Well this is usually quite simple. Remove Anonymous access on IIS for this
website or folder (if you haven't done so yet). Now what you need to do is
set up NTFS permissions on the folder where your files are stored that only
user 1, 2 and 3 can access (and e.g. administrators). If you remove everyone
else (e.g. everyone group, domain users group, .) from permission list,
users will get prompted for username and password (is you select basic
authentication) before they are granted access to the files.

Note: if you select basic authentication in IIS and you don't set up SSL
username and password are transferred in clear text from client to server.

--
Mike
Microsoft MVP - Windows Security

"Peter W. Caton" wrote in message
news:C02AA9BF-9E16-48FB-844C-7841E7D0A041@microsoft.com...
> Here is what I want to do with IIS on a Windows 2003 server. The server
> is a
> part of our domain.
>
> I have a basic Intranet troubleshooting website setup in IIS.
>
> I want to limit access to a specific group of Active Directory users. In
> other words, AD users 1, 2, 3 can access the intranet website, all other
> users are denied.
>
> How can I accomplish this?
>
> I should also note that I am rather new to IIS, so the more detail you can
> provide, the better.
>
> Thanks.

RE: Intranet Security

Thanks for your reply.

For some reason, this does not work.

I have the website pointing to a network share on another server.

The network share only allows users 1, 2, 3.

If I login as one of the users who should not have access to this share and
try to access the share, I am denied. So I know the permissions are working.

However, if I am logged in as a user who should not have access to the site
and type in the server's name in IE, I can access the webpage, no problem.

I have also tried moving the files to a folder on the IIS server. Same
thing happens.

I do have anonymous access disabled.

For authenticated access, I have tried every combination of access, Windows
Integrated, Digest Authentication, and one of two things happen. One, I am
prompted for a username and password. But no matter what username and
password I enter, I am denied access. Two, I can access the site using any
AD user.

Any other thoughts?

"Peter W. Caton" wrote:

> Here is what I want to do with IIS on a Windows 2003 server. The server is a
> part of our domain.
>
> I have a basic Intranet troubleshooting website setup in IIS.
>
> I want to limit access to a specific group of Active Directory users. In
> other words, AD users 1, 2, 3 can access the intranet website, all other
> users are denied.
>
> How can I accomplish this?
>
> I should also note that I am rather new to IIS, so the more detail you can
> provide, the better.
>
> Thanks.

Re: Intranet Security

Can you post every object (user or group) that is assigned any permission on
the folder _and_ share where the files are.

--
Mike
Microsoft MVP - Windows Security

"Peter W. Caton" wrote in message
news:52BBB31E-9FAA-46C9-A1EF-2A660034ABA5@microsoft.com...
> Thanks for your reply.
>
> For some reason, this does not work.
>
> I have the website pointing to a network share on another server.
>
> The network share only allows users 1, 2, 3.
>
> If I login as one of the users who should not have access to this share
> and
> try to access the share, I am denied. So I know the permissions are
> working.
>
> However, if I am logged in as a user who should not have access to the
> site
> and type in the server's name in IE, I can access the webpage, no problem.
>
> I have also tried moving the files to a folder on the IIS server. Same
> thing happens.
>
> I do have anonymous access disabled.
>
> For authenticated access, I have tried every combination of access,
> Windows
> Integrated, Digest Authentication, and one of two things happen. One, I
> am
> prompted for a username and password. But no matter what username and
> password I enter, I am denied access. Two, I can access the site using
> any
> AD user.
>
> Any other thoughts?
>
> "Peter W. Caton" wrote:
>
>> Here is what I want to do with IIS on a Windows 2003 server. The server
>> is a
>> part of our domain.
>>
>> I have a basic Intranet troubleshooting website setup in IIS.
>>
>> I want to limit access to a specific group of Active Directory users. In
>> other words, AD users 1, 2, 3 can access the intranet website, all other
>> users are denied.
>>
>> How can I accomplish this?
>>
>> I should also note that I am rather new to IIS, so the more detail you
>> can
>> provide, the better.
>>
>> Thanks.

RE: Intranet Security

The share that IIS is redirected to is setup as follows

Permissions: Authenticated users have Full, Change, Read
Security: Staff Users (group with staff accounts) have Read, Write
Domain Admins Full Control

But when I login as an AD user account that is not in either one of these
groups, I can still access the website.

"Peter W. Caton" wrote:

> Thanks for your reply.
>
> For some reason, this does not work.
>
> I have the website pointing to a network share on another server.
>
> The network share only allows users 1, 2, 3.
>
> If I login as one of the users who should not have access to this share and
> try to access the share, I am denied. So I know the permissions are working.
>
> However, if I am logged in as a user who should not have access to the site
> and type in the server's name in IE, I can access the webpage, no problem.
>
> I have also tried moving the files to a folder on the IIS server. Same
> thing happens.
>
> I do have anonymous access disabled.
>
> For authenticated access, I have tried every combination of access, Windows
> Integrated, Digest Authentication, and one of two things happen. One, I am
> prompted for a username and password. But no matter what username and
> password I enter, I am denied access. Two, I can access the site using any
> AD user.
>
> Any other thoughts?
>
> "Peter W. Caton" wrote:
>
> > Here is what I want to do with IIS on a Windows 2003 server. The server is a
> > part of our domain.
> >
> > I have a basic Intranet troubleshooting website setup in IIS.
> >
> > I want to limit access to a specific group of Active Directory users. In
> > other words, AD users 1, 2, 3 can access the intranet website, all other
> > users are denied.
> >
> > How can I accomplish this?
> >
> > I should also note that I am rather new to IIS, so the more detail you can
> > provide, the better.
> >
> > Thanks.

Re: Intranet Security

Hi,

Your users are granted access via "Authenticated Users". Any user that has
valid username and password is automatically authenticated user and your
current settings give him/her full access.

--
Mike
Microsoft MVP - Windows Security

"Peter W. Caton" wrote in message
news:14328C7F-A809-4387-8063-2DE017D9B51F@microsoft.com...
> The share that IIS is redirected to is setup as follows
>
> Permissions: Authenticated users have Full, Change, Read
> Security: Staff Users (group with staff accounts) have Read, Write
> Domain Admins Full Control
>
> But when I login as an AD user account that is not in either one of these
> groups, I can still access the website.
>
> "Peter W. Caton" wrote:
>
>> Thanks for your reply.
>>
>> For some reason, this does not work.
>>
>> I have the website pointing to a network share on another server.
>>
>> The network share only allows users 1, 2, 3.
>>
>> If I login as one of the users who should not have access to this share
>> and
>> try to access the share, I am denied. So I know the permissions are
>> working.
>>
>> However, if I am logged in as a user who should not have access to the
>> site
>> and type in the server's name in IE, I can access the webpage, no
>> problem.
>>
>> I have also tried moving the files to a folder on the IIS server. Same
>> thing happens.
>>
>> I do have anonymous access disabled.
>>
>> For authenticated access, I have tried every combination of access,
>> Windows
>> Integrated, Digest Authentication, and one of two things happen. One, I
>> am
>> prompted for a username and password. But no matter what username and
>> password I enter, I am denied access. Two, I can access the site using
>> any
>> AD user.
>>
>> Any other thoughts?
>>
>> "Peter W. Caton" wrote:
>>
>> > Here is what I want to do with IIS on a Windows 2003 server. The
>> > server is a
>> > part of our domain.
>> >
>> > I have a basic Intranet troubleshooting website setup in IIS.
>> >
>> > I want to limit access to a specific group of Active Directory users.
>> > In
>> > other words, AD users 1, 2, 3 can access the intranet website, all
>> > other
>> > users are denied.
>> >
>> > How can I accomplish this?
>> >
>> > I should also note that I am rather new to IIS, so the more detail you
>> > can
>> > provide, the better.
>> >
>> > Thanks.

Re: Intranet Security

Just to clarify:

If I try to access the share via Windows when I am logged in under a
restricted user, I am denied.

But you're saying that because I have permissions setup as Authenticated
Users, IIS allows this restricted user to view the website?

Before writing the newsgroup, I also tried the following:

Add the website files on the local IIS server. Set the permissions to only
allow Staff Users and Domain Admins.

When I log as a restricted user, I can still access the website.

This just doesn't add up-

"Miha Pihler [MVP]" wrote:

> Hi,
>
> Your users are granted access via "Authenticated Users". Any user that has
> valid username and password is automatically authenticated user and your
> current settings give him/her full access.
>
> --
> Mike
> Microsoft MVP - Windows Security
>
> "Peter W. Caton" wrote in message
> news:14328C7F-A809-4387-8063-2DE017D9B51F@microsoft.com...
> > The share that IIS is redirected to is setup as follows
> >
> > Permissions: Authenticated users have Full, Change, Read
> > Security: Staff Users (group with staff accounts) have Read, Write
> > Domain Admins Full Control
> >
> > But when I login as an AD user account that is not in either one of these
> > groups, I can still access the website.
> >
> > "Peter W. Caton" wrote:
> >
> >> Thanks for your reply.
> >>
> >> For some reason, this does not work.
> >>
> >> I have the website pointing to a network share on another server.
> >>
> >> The network share only allows users 1, 2, 3.
> >>
> >> If I login as one of the users who should not have access to this share
> >> and
> >> try to access the share, I am denied. So I know the permissions are
> >> working.
> >>
> >> However, if I am logged in as a user who should not have access to the
> >> site
> >> and type in the server's name in IE, I can access the webpage, no
> >> problem.
> >>
> >> I have also tried moving the files to a folder on the IIS server. Same
> >> thing happens.
> >>
> >> I do have anonymous access disabled.
> >>
> >> For authenticated access, I have tried every combination of access,
> >> Windows
> >> Integrated, Digest Authentication, and one of two things happen. One, I
> >> am
> >> prompted for a username and password. But no matter what username and
> >> password I enter, I am denied access. Two, I can access the site using
> >> any
> >> AD user.
> >>
> >> Any other thoughts?
> >>
> >> "Peter W. Caton" wrote:
> >>
> >> > Here is what I want to do with IIS on a Windows 2003 server. The
> >> > server is a
> >> > part of our domain.
> >> >
> >> > I have a basic Intranet troubleshooting website setup in IIS.
> >> >
> >> > I want to limit access to a specific group of Active Directory users.
> >> > In
> >> > other words, AD users 1, 2, 3 can access the intranet website, all
> >> > other
> >> > users are denied.
> >> >
> >> > How can I accomplish this?
> >> >
> >> > I should also note that I am rather new to IIS, so the more detail you
> >> > can
> >> > provide, the better.
> >> >
> >> > Thanks.
>
>
>

Re: Intranet Security

No it doesn't, but IIS will always honor NTFS permissions. For anything else
I just don't have enough information.

Remove everything from permissions except those users that need access and
e.g. Administrators group. Don't use other groups unless necessary (e.g.
don't use Domain Users, Authenticated Users, ...).
You can also use Effective Permissions tab on your files in your data folder
where you are setting NTFS permissions to figure out what kind of
permissions user will have on data.

How are share permissions set up?

My suggestion would be to first make this work on IIS server (move data to
IIS server). Once it works on IIS server start playing with access over
shares.

--
Mike
Microsoft MVP - Windows Security

"Peter W. Caton" wrote in message
news:4DD1833A-A405-41CD-86D3-52C39A17686C@microsoft.com...
> Just to clarify:
>
> If I try to access the share via Windows when I am logged in under a
> restricted user, I am denied.
>
> But you're saying that because I have permissions setup as Authenticated
> Users, IIS allows this restricted user to view the website?
>
> Before writing the newsgroup, I also tried the following:
>
> Add the website files on the local IIS server. Set the permissions to
> only
> allow Staff Users and Domain Admins.
>
> When I log as a restricted user, I can still access the website.
>
> This just doesn't add up-
>
> "Miha Pihler [MVP]" wrote:
>
>> Hi,
>>
>> Your users are granted access via "Authenticated Users". Any user that
>> has
>> valid username and password is automatically authenticated user and your
>> current settings give him/her full access.
>>
>> --
>> Mike
>> Microsoft MVP - Windows Security
>>
>> "Peter W. Caton" wrote in message
>> news:14328C7F-A809-4387-8063-2DE017D9B51F@microsoft.com...
>> > The share that IIS is redirected to is setup as follows
>> >
>> > Permissions: Authenticated users have Full, Change, Read
>> > Security: Staff Users (group with staff accounts) have Read, Write
>> > Domain Admins Full Control
>> >
>> > But when I login as an AD user account that is not in either one of
>> > these
>> > groups, I can still access the website.
>> >
>> > "Peter W. Caton" wrote:
>> >
>> >> Thanks for your reply.
>> >>
>> >> For some reason, this does not work.
>> >>
>> >> I have the website pointing to a network share on another server.
>> >>
>> >> The network share only allows users 1, 2, 3.
>> >>
>> >> If I login as one of the users who should not have access to this
>> >> share
>> >> and
>> >> try to access the share, I am denied. So I know the permissions are
>> >> working.
>> >>
>> >> However, if I am logged in as a user who should not have access to the
>> >> site
>> >> and type in the server's name in IE, I can access the webpage, no
>> >> problem.
>> >>
>> >> I have also tried moving the files to a folder on the IIS server.
>> >> Same
>> >> thing happens.
>> >>
>> >> I do have anonymous access disabled.
>> >>
>> >> For authenticated access, I have tried every combination of access,
>> >> Windows
>> >> Integrated, Digest Authentication, and one of two things happen. One,
>> >> I
>> >> am
>> >> prompted for a username and password. But no matter what username and
>> >> password I enter, I am denied access. Two, I can access the site
>> >> using
>> >> any
>> >> AD user.
>> >>
>> >> Any other thoughts?
>> >>
>> >> "Peter W. Caton" wrote:
>> >>
>> >> > Here is what I want to do with IIS on a Windows 2003 server. The
>> >> > server is a
>> >> > part of our domain.
>> >> >
>> >> > I have a basic Intranet troubleshooting website setup in IIS.
>> >> >
>> >> > I want to limit access to a specific group of Active Directory
>> >> > users.
>> >> > In
>> >> > other words, AD users 1, 2, 3 can access the intranet website, all
>> >> > other
>> >> > users are denied.
>> >> >
>> >> > How can I accomplish this?
>> >> >
>> >> > I should also note that I am rather new to IIS, so the more detail
>> >> > you
>> >> > can
>> >> > provide, the better.
>> >> >
>> >> > Thanks.
>>
>>
>>