IIS Web Permissions RRS feed

  • Question

  • User-1095652500 posted
    I’ve hit a brick wall. I’m so very mad at windows web server right now. I went online and tried to get support but they want to charge 245 dollars for a phone call. All I wanted to do was make one web site accessible by just ONE user plus the administrator. THIS IS IMPOSSIBLE. I don’t understand why they have to make it so complicated. Maybe they could have just put an option in IIS saying, restrict this website to ONE user, but they didn’t. so if you want to have one user you have a couple options(not using AD): -Turn off anonymous access in the IIS 6.0 site, but then ANY person who is a user on the computer and authenticates can log in! -use the web.config to Allow/Deny users, but then the only thing that gets denied is pages with the ASPX extension… it will still allow pages with ex. *.tif, *.pdf;!!!!!! -Right click the website in IIS, click permissions, and DENY access to the site to the USERS group. But then guess what, the ASPNET Machine Account is a member of USERS (for whatever reason), so if you deny USERS you deny the ASPNET account and the site doesn’t work, you can’t even login as an administrator! -Continue denying the USERS group to the website and make the ASPNET machine account a member of administrators; maybe this will allow us to deny the USERS group in the IIS website but still allow the ASPNET machine account access, but no, NOTHING. Help is appreciated. Now i'm just plain locked out, i can't even get access to the administration website, so I have to go to the colocated hosting building, pull my server out, take it home, and you know the rest. Thanks Ryan
    Sunday, August 1, 2004 2:24 PM

All replies

  • User-599719271 posted
    all you need to do is apply NTFS permissions on the files and folders themselves so that only administrators, ASPNET and the single user account have permissions. then set Basic or Integrated authentication to ON. denying in IIS isn't required.
    Monday, August 2, 2004 3:09 AM
  • User-1095652500 posted
    so should i remove all the permissions on the site, Then add administrators, aspnet account, and my single user account? And those will be the only three things? Where is the Basic or Integrated Authentication setting? Thankyou ryan
    Monday, August 2, 2004 5:14 AM
  • User-823196590 posted
    You need to remove any unwanted users or groups and add the appropriate users and groups. You set Basic and Windows Integrated authentication from the IIS MMC, on the Directory Security tab, click the Edit button under Anonymous access and authentication control. It's all very well documented ... IIS 6 Documentation http://www.microsoft.com/technet/prodtechnol/windowsserver2003/proddocs/standard/gs_authentication.asp HOW TO: Configure IIS Web Site Authentication in Windows Server 2003 http://support.microsoft.com/default.aspx?scid=kb;en-us;324274
    Monday, August 2, 2004 8:32 AM
  • User-1095652500 posted
    when i do this I'm pretty sure that i'll have to stop the folder from inheriting permissions from the parent right? just turn it off, clear out the box, and add Administrators Group, ASPNET Machine Account User, and User X that I Pick. Does that sound right? Thankyou Ryan
    Monday, August 2, 2004 8:49 PM
  • User989702501 posted
    Don't forget the SYSTEM account as well.
    Monday, August 2, 2004 10:47 PM
  • User-1095652500 posted
    THANKYOU --- One more question. Lets say I had a website in IIS that must have anonymous access enabled. I have a folder of images that are for the site, but i can't have people being able to type i.e.: http://www.mysite.com/photography/images/filename.jpg So my guess would be that i need to deny somebody on the images folder, but asp.net is in the users group, so i can't deny them. So do you think the right thing to do would be to clear the permissions, add Administrators Group, System, and ASPNET Machine Account. Would this allow the website to see the images i.e. AndAlso prevent users from getting to it from the addressbar? thanks, Ryan dem dat know, know dat day know, dem dat don't know, don't know dat day don't know.
    Tuesday, August 3, 2004 3:30 AM
  • User-823196590 posted
    That would not work. if you want to prevent direct URl access, place the images outside of your web root path and use a dynamic page to read the file and binarywrite it to the client.
    Tuesday, August 3, 2004 8:12 AM
  • User-1095652500 posted
    do you have any links that would show the binarywrite code? I remember dealing once putting a picture to the screen using response.outputstream, but the big problem with that was i couldn't get the picture to display where i wanted it to on the page. ryan
    Tuesday, August 3, 2004 1:58 PM
  • User-823196590 posted
    Tuesday, August 3, 2004 3:58 PM
  • User-1095652500 posted
    Good Stuff. Now, is there any way to Response.Write/BufferWrite to a specified area on the page? Whenever i use response.write it just puts it at the top of the page. Is there any way to possibly add it maybe to a placeholder? or even betteryet somehow add it to a system.web.ui.webcontrols.image object then add that to the page dynamically? Thank You Ryan
    Tuesday, August 3, 2004 4:05 PM
  • User-823196590 posted
    Sure - either include style positioning elements in your response write or if you're using the image control, use the ImageURL property. Create a page called image.aspx that does the response.binarywrite then on your "main" page with the image control add some code behind that says: image1.ImageURL = "image.aspx" You could even pass some parameters so it works dynamically: image1.ImageURL = "image.aspx?img=picture1"
    Wednesday, August 4, 2004 8:27 AM
  • User-1095652500 posted
    awesome, to make this secure though I would probably be required to hexadecimal encode the querystring right? Would I have to design my own encoding, or is there already a preset thing in asp.net that will code it for me? i don't understand, why can you apply permissions to everything; it gets so complicated, but you can't allow a folder to be in the application folder, available to the application, but not available to the public? (read above question if this is confusing) ThankYou Ryan
    Wednesday, August 4, 2004 2:04 PM