2

A very weird issue that never encountered with Windows Server 2003: when configuring basic authentication to restrict access to specific directories in IIS7 I've done the following:

  1. Enabled basic authentication and disabled anonymous authentication for specific directories within IIS7
  2. Created three Active Directory groups: site.com Staff, site.com Members, site.com Something.
  3. Created multiple accounts and added to applicable group.
  4. Given Read & Execute NTFS permissions to a specific domain group/s to three areas of an IIS7 site

However, any domain account from any of the three groups can access any of the other three areas of the site once logged in. The only way to truly lock down a directory is not only providing read rights to the applicable group, but denying access to the groups that should not have access. This does not make sense apart from the fact that of course, a member of the Domain Users group is a part of the Local Users group, and you cannot deny access to either for the directories in question.

What obvious thing am I missing?

Update: Embarrassed to say that this was a pretty obvious one and has nothing to do with Win2003 vs. Win2008.

For all applicable directories/files:

  1. Enable Basic Authentication in IIS, and remove anonymous.
  2. Remove inheriting permissions (with copy to make things easy)
  3. Remove local Users group access
  4. Grant the applicable domain groups read access
  5. Add Network Service read access (this is specific for IIS7 because of the integrated pipeline)

As you can see, the only Win2003 vs. Win2008 issue is granting Network Service access to the resource in question.

Ted
  • 248
  • 2
  • 5
  • 16
  • I think you answered your own question, if Domain Users have rights and the users are part of Domain Users then mystery solved. You can remove Domain Users if it's not needed. – Ed Fries Nov 25 '09 at 00:28
  • Unfortunately you cannot remove the Domain Users access. This is part of a domain and you can't remove the Users or Domain Users access. "You are setting a deny permissions entry. Deny entries take precedence over allow entries. This means that if a user is a member of two groups, one that is allowed a permission and another that is denied the same permission, the user is denied that permission..." – Ted Nov 25 '09 at 18:57
  • @ovalsquare: when you remove permissions inheritance you can remove any and all entities from the permissions of the object, rgeardless of whether it's a domain or not. also, an explicit Allow permission will override an inherited Deny permission. http://technet.microsoft.com/en-us/library/cc736316(WS.10).aspx – joeqwerty Nov 25 '09 at 19:14

1 Answers1

3

Troubleshooting permissions problems can be a challenge but at the end of the day here's what I think:

The users are able to access the directories regardless of their membership in the groups you've created because the users are members of the local users group, which has access to the directories. For the most part, permissions are cumulative and the least restrictive permissions apply except in cases of explicitly defined permissions (Allow or Deny). In order to achieve your desired restrictions you have two choices:

  1. Do what you've already done and define an explicit Deny on the directories to the groups that you don't want to have access.

  2. Remove permissions inheritance from the directories, remove the local users group from the permissions on the directories and define an explicit Allow on the directories to the groups that you do want to have access.

joeqwerty
  • 109,901
  • 6
  • 81
  • 172