0

I would like to host a password protected static website on a server, and meet the following 2 requirements:

  1. The static website credentials MUST NOT give any additional access to the hosting server.
  2. The hosting must play nicely with other IIS hosted websites

The hosting server is running Windows 10 Pro.

I've identified 4 options:

  1. Host it in IIS with Basic Authentication enabled
  2. Host it in Apache, separate port, secure with .htpasswd file
  3. Host it in Apache in a VM, use a bridged network, secure with .htpasswd file
  4. Develop a middleware/route request authentication application

Option 1:

Evidently, this option requires a whole new User on the computer.

I do not understand the limitations of a new user's access.

When I hit WindowsKey + R, and run netplwiz, I can configure the user to belong to one of these groups:

  • Users(default): Users are prevented from making accidental or intentional system-wide changes and can run most applications.
  • Guest: Guests have the same access as members of the Users group by default, except for the Guest account, which is further restricted as described earlier.
  • IIS_IUSR: Built-in group used by Internet Information Services.

I can not find the following information in any Microsoft docs:

  • How IIS_IUSR is "used" by IIS
  • If any of these groups restrict all access, other than viewing the Basic Auth website
  • An exhaustive list of permissions granted by the user login credentials, and each group

This method seems confusing and annoying at best, and a complete security failure at worst.

Option 2:

This seems more secure to me, because I can understand the limitations of the user access better.

Option 3:

This seems even more secure, because the hosting server is not directly accessed. I do not know if this creates other security vulnerabilities though.

Option 4:

This one seems the most secure, because I have full understanding and control over the website's access. This could take a lot of work though.

Matthew Beck
  • 451
  • 5
  • 19
  • Please open a support case via http://support.microsoft.com and learn from Microsoft support or hire some guy to help you out face to face. It would be lengthy to teach you Windows security, and your exploration on option 1 is on the wrong track (like Basic authentication should be avoided, and those users/user groups should not be used in the way you thought.) – Lex Li Nov 12 '19 at 23:27
  • 1
    simply use https://robinmoisson.github.io/staticrypt/ – Jay seen Nov 13 '19 at 10:07
  • Password protecting a static site is a simple issue for a developer, warranting a simple solution as Jaikey proposed. – Matthew Beck Nov 14 '19 at 00:04

1 Answers1

-1

An organization can adopt the following policy to protect itself against web server attacks.

Patch management– this involves installing patches to help secure the server. A patch is an update that fixes a bug in the software. The patches can be applied to the operating system and the web server system. Secure installation and configuration of the operating system Secure installation and configuration of the web server software Vulnerability scanning system– these include tools such as Snort, NMap, Scanner Access Now Easy (SANE) Firewalls can be used to stop simple DoS attacks by blocking all traffic coming the identify source IP addresses of the attacker. Antivirus software can be used to remove malicious software on the server Disabling Remote Administration Default accounts and unused accounts must be removed from the system Default ports & settings (like FTP at port 21) should be changed to custom port & settings (FTP port at 5069

Muhammad Bilal Younas Chaudhry
  • 1
  • 1