folder access lan and web

folder access lan and web

am 14.11.2007 00:58:02 von bxtrap01

for sbs 2003, so far default iis setup, eg, inetpub/wwwroot, default
permissions, security etc
looks like i have to do this differently
have a folder for images, right now directly under wwwroot, using for tags for pics, etc on web pages like ebay, and others, works fine
then i went to share it on the local lan so it will would be easy to copy
/paste files there
after enabling sharing on the network or sharing on the web, and trying to
access files via http, it became pass word protected for http access.
i would like it to be password protected for lan access only, actually so i
can map drive access to it and allow anon access via http
so not sure how to or best way to do it
bob

Re: folder access lan and web

am 14.11.2007 05:18:47 von David Wang

On Nov 13, 3:58 pm, "bbxrider" wrote:
> for sbs 2003, so far default iis setup, eg, inetpub/wwwroot, default
> permissions, security etc
> looks like i have to do this differently
> have a folder for images, right now directly under wwwroot, using for > tags for pics, etc on web pages like ebay, and others, works fine
> then i went to share it on the local lan so it will would be easy to copy
> /paste files there
> after enabling sharing on the network or sharing on the web, and trying to
> access files via http, it became pass word protected for http access.
> i would like it to be password protected for lan access only, actually so i
> can map drive access to it and allow anon access via http
> so not sure how to or best way to do it
> bob


You probably accidentally enabled "sharing on the web", which is not
what you want. Get rid of that.

All you need to do from your default configuration is add a UNC File
Share to the wwwroot\images folder. I assume you allow SMB traffic on
Intranet and not Internet.

In this configuration, HTTP can get to everything externally that you
expose via IIS. You can use SMB to access the UNC file share
internally to do what you want.

For certain, whatever you enabled is NOT the right thing and should be
reverted.


//David
http://w3-4u.blogspot.com
http://blogs.msdn.com/David.Wang
//

Re: folder access lan and web

am 15.11.2007 02:53:24 von bxtrap01

thanks for the reply
if you can bear with me, i would just like to clear up the terminology
when you say 'add UNC file share' that means simply allowing sharing for
that folder, (vs not sharing) and i can further tweak that by
user permissions, eg, i could say create a user account that has
read+write+delete permissions only, without full control, execute, etc
so that when mapping a drive to a pc on the lan and there is the prompt for
username password, by establishing the map with user
account with limited access from above that 'map' has only those limited
permissions available to it?
yes???
and reading up on smb, it looks like smb is enabled on ethernet by 'client
for ms networks' and 'file and printer sharing for ms networks'
and i never thought much about those since they always seem to be there, so
yes smb is on the lan.
it seems odd that smb would be allowed via internet, i'm not sure what that
would be about, it sounds dangerous and
it sounds somewhat like vpn's i set up to allow remote access to lans as
needed for certain apps
bob

"David Wang" wrote in message
news:1195013927.789671.136260@i38g2000prf.googlegroups.com.. .
> On Nov 13, 3:58 pm, "bbxrider" wrote:
>> for sbs 2003, so far default iis setup, eg, inetpub/wwwroot, default
>> permissions, security etc
>> looks like i have to do this differently
>> have a folder for images, right now directly under wwwroot, using for
>> >> tags for pics, etc on web pages like ebay, and others, works fine
>> then i went to share it on the local lan so it will would be easy to copy
>> /paste files there
>> after enabling sharing on the network or sharing on the web, and trying
>> to
>> access files via http, it became pass word protected for http access.
>> i would like it to be password protected for lan access only, actually so
>> i
>> can map drive access to it and allow anon access via http
>> so not sure how to or best way to do it
>> bob
>
>
> You probably accidentally enabled "sharing on the web", which is not
> what you want. Get rid of that.
>
> All you need to do from your default configuration is add a UNC File
> Share to the wwwroot\images folder. I assume you allow SMB traffic on
> Intranet and not Internet.
>
> In this configuration, HTTP can get to everything externally that you
> expose via IIS. You can use SMB to access the UNC file share
> internally to do what you want.
>
> For certain, whatever you enabled is NOT the right thing and should be
> reverted.
>
>
> //David
> http://w3-4u.blogspot.com
> http://blogs.msdn.com/David.Wang
> //
>

Re: folder access lan and web

am 15.11.2007 03:38:00 von David Wang

I don't use the UI to do these things so I really don't know what you
are describing.

It sounds like you have the right idea, though there are many details
which can affect whether you succeed or not and whether it is secure.
But, that is always the case -- user configuration completely affects
functionality and security.

I can only say that you do NOT want to enable any sort of "Web"
Sharing (which I think you can find in the Explorer Properties page
under a tab) because that enables WebDAV, which is what causes the
password dialog for http access. You want to leave everything back to
the original configuration when files were readable with anonymous
access.

Instead, you want to enable "UNC Sharing" (which I think you can find
in the Explorer right-click Context menu prior to the Properties
page), which is where you can configure UNC shares which map to your
physical folder.

If you have NTFS, there are now TWO sets of ACLs that you can
configure. One set exists on the UNC share itself. The other set
exists on the files exposed by the UNC share. Your EFFECTIVE access of
this network share is the restrictive AND of both those ACLs.

In other words, if you set UNC share to only allow User1 Read access
and the NTFS ACLs on files shared via UNC only allows User2 Read
access, you will find access denied when you try to access this UNC
share as either User1 or User2 -- because while User1 can access the
UNC share, it has no rights to access the files that are shared, while
USer2 can't even access the UNC share even though it can read the
files in it.


//David
http://w3-4u.blogspot.com
http://blogs.msdn.com/David.Wang
//



On Nov 14, 5:53 pm, "bbxrider" wrote:
> thanks for the reply
> if you can bear with me, i would just like to clear up the terminology
> when you say 'add UNC file share' that means simply allowing sharing for
> that folder, (vs not sharing) and i can further tweak that by
> user permissions, eg, i could say create a user account that has
> read+write+delete permissions only, without full control, execute, etc
> so that when mapping a drive to a pc on the lan and there is the prompt for
> username password, by establishing the map with user
> account with limited access from above that 'map' has only those limited
> permissions available to it?
> yes???
> and reading up on smb, it looks like smb is enabled on ethernet by 'client
> for ms networks' and 'file and printer sharing for ms networks'
> and i never thought much about those since they always seem to be there, so
> yes smb is on the lan.
> it seems odd that smb would be allowed via internet, i'm not sure what that
> would be about, it sounds dangerous and
> it sounds somewhat like vpn's i set up to allow remote access to lans as
> needed for certain apps
> bob
>
> "David Wang" wrote in message
>
> news:1195013927.789671.136260@i38g2000prf.googlegroups.com.. .
>
>
>
> > On Nov 13, 3:58 pm, "bbxrider" wrote:
> >> for sbs 2003, so far default iis setup, eg, inetpub/wwwroot, default
> >> permissions, security etc
> >> looks like i have to do this differently
> >> have a folder for images, right now directly under wwwroot, using for
> >> > >> tags for pics, etc on web pages like ebay, and others, works fine
> >> then i went to share it on the local lan so it will would be easy to copy
> >> /paste files there
> >> after enabling sharing on the network or sharing on the web, and trying
> >> to
> >> access files via http, it became pass word protected for http access.
> >> i would like it to be password protected for lan access only, actually so
> >> i
> >> can map drive access to it and allow anon access via http
> >> so not sure how to or best way to do it
> >> bob
>
> > You probably accidentally enabled "sharing on the web", which is not
> > what you want. Get rid of that.
>
> > All you need to do from your default configuration is add a UNC File
> > Share to the wwwroot\images folder. I assume you allow SMB traffic on
> > Intranet and not Internet.
>
> > In this configuration, HTTP can get to everything externally that you
> > expose via IIS. You can use SMB to access the UNC file share
> > internally to do what you want.
>
> > For certain, whatever you enabled is NOT the right thing and should be
> > reverted.
>
> > //David
> >http://w3-4u.blogspot.com
> >http://blogs.msdn.com/David.Wang
> > //- Hide quoted text -
>
> - Show quoted text -

Re: folder access lan and web

am 16.11.2007 20:27:53 von bxtrap01

thanks very much for your thorough and thoughtful reply, that helps a lot
just one last thing, if your not using the UI i presume that means you can
do
anything in UI from the command line and therefore scripts. all that is
documented
somewhere?
thanks again
bob
"David Wang" wrote in message
news:5f3a8be6-cc6c-4449-b4b1-f6af1e200131@d27g2000prf.google groups.com...
>I don't use the UI to do these things so I really don't know what you
> are describing.
>
> It sounds like you have the right idea, though there are many details
> which can affect whether you succeed or not and whether it is secure.
> But, that is always the case -- user configuration completely affects
> functionality and security.
>
> I can only say that you do NOT want to enable any sort of "Web"
> Sharing (which I think you can find in the Explorer Properties page
> under a tab) because that enables WebDAV, which is what causes the
> password dialog for http access. You want to leave everything back to
> the original configuration when files were readable with anonymous
> access.
>
> Instead, you want to enable "UNC Sharing" (which I think you can find
> in the Explorer right-click Context menu prior to the Properties
> page), which is where you can configure UNC shares which map to your
> physical folder.
>
> If you have NTFS, there are now TWO sets of ACLs that you can
> configure. One set exists on the UNC share itself. The other set
> exists on the files exposed by the UNC share. Your EFFECTIVE access of
> this network share is the restrictive AND of both those ACLs.
>
> In other words, if you set UNC share to only allow User1 Read access
> and the NTFS ACLs on files shared via UNC only allows User2 Read
> access, you will find access denied when you try to access this UNC
> share as either User1 or User2 -- because while User1 can access the
> UNC share, it has no rights to access the files that are shared, while
> USer2 can't even access the UNC share even though it can read the
> files in it.
>
>
> //David
> http://w3-4u.blogspot.com
> http://blogs.msdn.com/David.Wang
> //
>
>
>
> On Nov 14, 5:53 pm, "bbxrider" wrote:
>> thanks for the reply
>> if you can bear with me, i would just like to clear up the terminology
>> when you say 'add UNC file share' that means simply allowing sharing for
>> that folder, (vs not sharing) and i can further tweak that by
>> user permissions, eg, i could say create a user account that has
>> read+write+delete permissions only, without full control, execute, etc
>> so that when mapping a drive to a pc on the lan and there is the prompt
>> for
>> username password, by establishing the map with user
>> account with limited access from above that 'map' has only those limited
>> permissions available to it?
>> yes???
>> and reading up on smb, it looks like smb is enabled on ethernet by
>> 'client
>> for ms networks' and 'file and printer sharing for ms networks'
>> and i never thought much about those since they always seem to be there,
>> so
>> yes smb is on the lan.
>> it seems odd that smb would be allowed via internet, i'm not sure what
>> that
>> would be about, it sounds dangerous and
>> it sounds somewhat like vpn's i set up to allow remote access to lans as
>> needed for certain apps
>> bob
>>
>> "David Wang" wrote in message
>>
>> news:1195013927.789671.136260@i38g2000prf.googlegroups.com.. .
>>
>>
>>
>> > On Nov 13, 3:58 pm, "bbxrider" wrote:
>> >> for sbs 2003, so far default iis setup, eg, inetpub/wwwroot, default
>> >> permissions, security etc
>> >> looks like i have to do this differently
>> >> have a folder for images, right now directly under wwwroot, using for
>> >> >> >> tags for pics, etc on web pages like ebay, and others, works fine
>> >> then i went to share it on the local lan so it will would be easy to
>> >> copy
>> >> /paste files there
>> >> after enabling sharing on the network or sharing on the web, and
>> >> trying
>> >> to
>> >> access files via http, it became pass word protected for http access.
>> >> i would like it to be password protected for lan access only, actually
>> >> so
>> >> i
>> >> can map drive access to it and allow anon access via http
>> >> so not sure how to or best way to do it
>> >> bob
>>
>> > You probably accidentally enabled "sharing on the web", which is not
>> > what you want. Get rid of that.
>>
>> > All you need to do from your default configuration is add a UNC File
>> > Share to the wwwroot\images folder. I assume you allow SMB traffic on
>> > Intranet and not Internet.
>>
>> > In this configuration, HTTP can get to everything externally that you
>> > expose via IIS. You can use SMB to access the UNC file share
>> > internally to do what you want.
>>
>> > For certain, whatever you enabled is NOT the right thing and should be
>> > reverted.
>>
>> > //David
>> >http://w3-4u.blogspot.com
>> >http://blogs.msdn.com/David.Wang
>> > //- Hide quoted text -
>>
>> - Show quoted text -
>