Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Mike Lewis on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

IIS File Security

Status
Not open for further replies.
JR4VB

JR4VB

Technical User
Jan 13, 2003
36
0
0
US
I have a ASP file on my webserver that is locked down with Windows NTFS File security, which does not include the IUsr_Servername account. A User that should not have access to this page is still getting there. The ASP is being executed with the IUsr account....somehow.... though if I log onto the server with the IUsr account I get access denied when trying to access that same ASP file. So my question is how does the IUsr account execute the ASP file if it does not have NTFS permissions to that file? If I go into IIS and turn off Anonymous access for that file...the user in question cannot get it. But I shouldn't have to do that right? When the IIS server loads the page as the Anonymous access account it still has to follow Windows file permissions doesn't it?
Thanks

JR
 
Sort by date Sort by votes
By default in IIS the settings enabled are Allow anonymous access and Integrated Windows Authentication, and the IUSR is defined as IIS user when that site is accessed. If NTFS permissions are removed for IUSR on the file then the user will be prompted for NT user credentials.

Do you have Intergrated Windows Authentication enabled with IUSR as the website user?

-a6m1n0

Curiosity only kills cats.
 
Upvote 0 Downvote
Yes Integrated Windows Authentication is enabled and Anonymous access was also enabled....but the Security for the ASP file did not include the IUsr account. It was my understanding that IIS first trys with the Anonymous access account if enabled for that file, then trys the logged on User. I've logged into the IIS server with both of these accounts and I get access denied to the when trying to open the ASP file with notepad. But yet when I click the link on the website I get right in every time. And like I said if I turn Anonymous access off for that ASP file, the user gets prompted for credentials.....but that should be happening anyways even with Anonymous access turned on beacause the IUsr account is Denied access.
 
Upvote 0 Downvote
Ok, I think it is possible that you are confusing the types of permissions although I could be mistaken -- so please do not take offense if this is an incorrect assumption.

When dealing with a default site created in IIS you have two sets of permissions available if you use Anonymous Access with IUSR and Integrated Windows Authentication is enabled:

IIS Permissions
NTFS Permissions

IIS permissions are typicaly controlled/configured using the IIS mmc whereas NTFS permissions are controled using the NT ACL ( Access Control List) which is accessed by Right-Clicking a file, Properties, Security.

In IIS I always use the default permissions and use the NT ACL to exert more stringent control on the directories and files.

Depending if the user is local to the site, meaning if the site is being accessed via then the security context changes slightly since the user at least had logon permissions in the first place to access localhost. So, to simplify things, let's assume all access to the ASP file is from a remote client, and for example we will use the URL
When the user executes this request in the browser (the http client) at the URL and the above conditions are true (IIS has Anonymous Access and Intergrated Auth enabled and the Anon user is IUSR), then IIS will use the ACL on the file requested and determine if IUSR has permission or not.

So, say you have the default settings in IIS, and you do not want the remote user to access the file, you would modify the ACL and remove IUSR -- this has nothing to do with changing permissions in IIS; only on the file that you wish to restrict access.

The exception to the rule is the default Users Group entry in the ACL that is by default set on new files and folders -- assuming you have not modified the original ACL on the file you want to restrict. This means that if a remote client logs in with NT credentials, and they are in the Users Group, they can access this script from the browser. If this is the case and you would like to restrict the access to the file from the Users Group you would remove the Users Group entry in the ACL on that directory and/or file.

Hope this helps.

-a6m1n0

Curiosity only kills cats.
 
Upvote 0 Downvote
First thanks for you responses and added insite. I understand correctly how things are suppose to work at least...what I am left with is whats really going on.
In my senario below UserA is the one that should not have access to load the ASP but still can get in. IUsr is the anonymous user account used by IIS. Windows 2000 server IIS 5.0, IUsr is an NT 4 Domain account.

Fact1: UserA does not have Windows File Security to the ASP File. I verified this by loggon on to the server with UserA's account and got accessed denied when I tried to open the ASP.

Fact2: IUsr does not have Windows File Security to the ASP file. I verified this by loggon on to the server with IUsr's account and got accessed denied when I tried to open the ASP.

Fact3: Anonymous access is turned on for this asp file...although this shouldn't matter because both the Anonymous user and the remote user don't have Windows file permissions to the file.

Fact4: UserA can still execute the ASP and its loading via IIS's anonymous access account(IUsr).

Fact5: When Anonymous access is turned off for this ASP file UserA gets prompted for Credentials and access is denied. When I turn it back on, UserA again has access to load the ASP.

Fact6: I don't how UserA can load the ASP when the only two accounts that could possibly be loading this page in IIS don't have access to the ASP.
 
Upvote 0 Downvote
What NTFS permissions are actually set on the ASP file?

-a6m1n0

Curiosity only kills cats.
 
Upvote 0 Downvote
1 Domain Group-Which contains 4 unrelated users-Read Only
3 Specific Domain Users-Read only
System

Only those 4 entries, no Local Admins or anything else.
 
Upvote 0 Downvote
If I change group membership on the IUsr account how long or when does it take effect?

I'm testing some things on a different IIS server and if I add in a group that the IUsr account used to be in to the File securities on the ASP it can execute under the Anonymous account.

So it seems like IIS is remembering a domain group that the IUsr account used to be a member of but is no longer. I verified this on the test server. When does a group change on the IUsr account take effect? Restarting the IIS service had no effect.

JR
 
Upvote 0 Downvote
I guess I could stand for a lecture from you on AD and DC's as my only experience with windows servers is with Workgroup environments. In other words, apologies for the very long reply above -- your problem is outside the scope of my knowledge and expereince.

Lesson learned...I should have asked more questions first. :$ I am certain someone will be along to help you out though.

Best Regards

-a6m1n0

Curiosity only kills cats.
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

ravalos
  • Question
Problem with PDFs in IIS
Replies
1
Views
246
gbaughma
gbaughma
DrB0b
  • Locked
  • Question
Windows 2016 IIS FTP server with a ton of user accounts
Replies
4
Views
145
DrB0b
DrB0b
microsGuy16
  • Locked
  • Question
Can not copy files to Mapped drive
Replies
0
Views
110
microsGuy16
microsGuy16
GriffMG
  • Locked
  • Question
Server 2016 IIS - When opening default web page in Edge (chromium) it downloads rather than opening
Replies
1
Views
79
GriffMG
GriffMG
donb01
  • Locked
  • Question
IIS - Can I do this Redirect?
Replies
1
Views
49
donb01
donb01

Part and Inventory Search

Sponsor

Back
Top