0

I have a legacy web app hosted using PHP by IIS. Access to some of the directories of that app is restricted using the following configuration in web.config of the root directory. That makes the Windows username available as REMOTE_USER, so that the app can map that username into an individual database to check authorization. This works and MUST NOT be changed.

<location path="lsgprog/bibliothek/adm">
    <system.webServer>
        <security>
            <authentication>
                <anonymousAuthentication    enabled="false" />
                <windowsAuthentication      enabled="true"  />
            </authentication>
        </security>
    </system.webServer>
</location>

Access to some other directories is restricted as well and as well using credentials provided by Windows. So those other directories have anonymousAuthentication disabled and windowsAuthentication enabled as well. The difference is 1. that those settings are made in the GUI of IIS and 2. that authorization is actually checked against the file system. This means that the directories simply have read access only for some special groups of users, those groups and users are maintained by some Active Directory and because the app uses Windows auth, things simply work. Users authenticate at their Windows, open Internet Explorer, request the restricted parts of the site, IIS gets the username, group membership etc., checks access to the restricted directories in the file system and grants or denies it.

All of that is configured manually using the GUI of IIS and I want to migrate that to web.config. Enabling Windows auth for some directories is already documented above, what I'm missing is how to allow/deny access to users and groups, which is the file system part. I've already found the element authorization, which pretty much looks like what I want, but whatever I try doesn't work.

<location path="lsgprog/vfristen">
    <system.webServer>
        <security>
            <authentication>
                <anonymousAuthentication    enabled="false" />
                <windowsAuthentication      enabled="true"  />
            </authentication>
        </security>
    </system.webServer>

    <system.web>
        <authorization>
            <deny   users="*"
                    roles="*"
                    verbs="GET,HEAD,POST" />
        </authorization>
    </system.web>
</location>

My expectation was that the above is enough to DENY access to all users, but that doesn't work and any approach based on ALLOW doesn't as well. I hoped that users and roles could simply be mapped against the username and group names of the currently requesting user. What I don't want is form based authorization or converting directories to "apps" or anything that needs to be done outside of web.config.

So, is what I'm trying to do possible at all and if so, how? Thanks!

Thorsten Schöning
  • 3,501
  • 2
  • 25
  • 46
  • Is the part of the app that needs to be restricted in a separate folder? e.g. `/` that contains the pages that need to be restricted? – kshkarin Oct 14 '20 at 09:44
  • Yes, `lsgprog` is the root directory of the whole site, corresponding to `project` in your example. `vfristen` is the subdir I want to restrict access to, corresponding to `secrefolder` in your example. All files in that subdir should be treated the same. – Thorsten Schöning Oct 14 '20 at 14:02
  • Check the answer, there are 3 options on how to resolve this, hopefully one of those gets the job done. – kshkarin Oct 14 '20 at 14:36

2 Answers2

1

In this scenario there are multiple options, first - try and add a web.config file to the folder that needs to have its' own permissions e.g. under lsgprog/vfristen, the minimum web.config example which will deny all users access:

<?xml version="1.0"?>
<configuration>
    <system.web>
      <authorization>
        <deny users="*" />
      </authorization>
    </system.web>
</configuration>

Why does it work - IIS looks at each folder structure for web.config files, in this case the child will overwrite the parent but only the nodes that are inside the child - meaning it will preserve all other settings from the parent (root) web.config: Make application and directory-specific configuration settings in an ASP.NET application

Although the documentation above is for ASP.NET it applies at the IIS level as well.

Second option to try - since the question mentioned the root of the project is lsgprog then this setting in web.config:

<location path="lsgprog/vfristen">

Should be changed to (remove the root folder of the project from the path):

<location path="vfristen">

Finally third option which could also work is overwriting it at the Machine.config level as mentioned in the above document: Use the location element in the Machine.config file

When the allowOverride attribute is false, the Web.config files in the web application directories can't override the settings that you specified in the element. This is a useful setting in environments where you must restrict application developers in how they configure a web application. The following example shows a part of a Machine.config file that requires authentication to access the MyApp application on the default Web site and that can't be overridden by settings in a Web.config file:

Machine.config

<configuration>
    <location path="Default Web Site/MyApp" allowOverride="false">
        <system.web>
            <authorization>
                <allow users="?" />
            </authorization>
        </system.web>
    </location>
</configuration>
kshkarin
  • 574
  • 4
  • 9
  • Seems I was explaining my path wrongly, maybe the following is better: `C:\inetpub\wwwroot\lsgprog\vfristen` The last part is to which access needs to be restricted. Besides that, `Machine.config` is not an option, I want to store everything within the site only. And finally your example loks pretty much like what I'm doing already and doesn't work even when having a distinct `web.config` in `vfristen`. – Thorsten Schöning Oct 14 '20 at 15:41
  • I've just tried this with the default website in IIS 8 on a Windows Server 2012 machine, adding a `Test` folder with a new `web.config` inside setting `` and it's working as expected - what IIS version is your server running? What `Application Pool` is the app running under? Is the `Application Pool` set as `No Managed Code` under the `.NET Framework version` setting? – kshkarin Oct 14 '20 at 16:49
  • In the folder `web.config` try to set the deny setting to include roles as well since you're using role based authentication, e.g. `` – kshkarin Oct 14 '20 at 16:52
  • The other answer is what works: https://stackoverflow.com/a/64348499/2055163 I just needed to install IIS URL modules under Windows features, that was missing in my case. After doing so, the XML configs of the other answer work. Using `allow` or `deny` like in your and my former example leads to an error message in the IIS GUI when looking at auth policies. So I'm going to stick with the other answer, which is logically the same, only different syntax. Maybe you could add your installed IIS features to your answer for reference and to compare? Thanks for testing anyway! – Thorsten Schöning Oct 14 '20 at 16:56
  • that server doesn't have `URL Authorization` feature enabled, but the default website is running under an `Application Pool` that's configured as `.NET Framework Version 4` so what are the settings for your application? What version of IIS? Is the `Application Pool` set as `No Managed Code` under the .NET Framework version setting? – kshkarin Oct 14 '20 at 17:16
0

You could try to add the below code in your site web.config file:

    <location path="foldername">
        <system.webServer>
            <security>
                <authentication>
                    <anonymousAuthentication enabled="false" />
                    <windowsAuthentication enabled="true" />
                </authentication>
            </security>
        </system.webServer>
    </location>
<location path="foldername/page1.php">
        <system.webServer>
            <security>
                <authorization>
                    <remove users="*" roles="" verbs="" />
                    <add accessType="Allow" roles="DOMAIN\ADGROUP" />
                    <add accessType="Deny" users="*" />
                </authorization>
            </security>
        </system.webServer>
    </location>

Edit: need to install the URL Authorization in iis to make this rule work.

https://learn.microsoft.com/en-us/iis/manage/configuring-security/understanding-iis-url-authorization

Jalpa Panchal
  • 8,251
  • 1
  • 11
  • 26
  • 1
    Doesn't work and would be good to have an explanation about what the `authorization` actually is, why it uses different child nodes than I have already, even though if they are not documented etc. Are there any additional modules or system requirements one needs to load/configure/...? – Thorsten Schöning Oct 14 '20 at 16:10
  • 1
    This DOES work and I know what I was missing now: It's about IIS URL authorization vs. APS.NET URL authorization. The former is what I need and needs to be installed additionally: https://learn.microsoft.com/en-us/iis/manage/configuring-security/understanding-iis-url-authorization Would be good to have those kinds of details in your answer. – Thorsten Schöning Oct 14 '20 at 16:44
  • For some reason a user like `TSCHOENING-NB\tschoening` works, but all roles I test fail: `TSCHOENING-NB\Benutzer`, `TSCHOENING-NB\Users`, `TSCHOENING-NB\Jeder`, `TSCHOENING-NB\Everyone` etc. Shouldn't this work with non-AD groups as well? – Thorsten Schöning Oct 14 '20 at 16:59
  • @ThorstenSchöning i will add this detail. – Jalpa Panchal Oct 15 '20 at 09:18
  • @ThorstenSchöning make sure you are passing the right credentials in the role.you can check which role and users are available on your machine by opening the lusrmgr.msc – Jalpa Panchal Oct 15 '20 at 09:25
  • I did check there and used groups from there in domain syntax. Domain syntax is necessary always, even without AD in use, correct? I have an German localized Windows, which group names need to be configured then, German ones like `Benutzer` or the English `Users`? – Thorsten Schöning Oct 15 '20 at 13:30