2

A very weird issue that never encountered with Windows Server 2003: when configuring basic authentication to restrict access to specific directories in IIS7 I've done the following:

  1. Enabled basic authentication and disabled anonymous authentication for specific directories within IIS7
  2. Created three Active Directory groups: site.com Staff, site.com Members, site.com Something.
  3. Created multiple accounts and added to applicable group.
  4. Given Read & Execute NTFS permissions to a specific domain group/s to three areas of an IIS7 site

However, any domain account from any of the three groups can access any of the other three areas of the site once logged in. The only way to truly lock down a directory is not only providing read rights to the applicable group, but denying access to the groups that should not have access. This does not make sense apart from the fact that of course, a member of the Domain Users group is a part of the Local Users group, and you cannot deny access to either for the directories in question.

What obvious thing am I missing?

Update: Embarrassed to say that this was a pretty obvious one and has nothing to do with Win2003 vs. Win2008.

For all applicable directories/files:

  1. Enable Basic Authentication in IIS, and remove anonymous.
  2. Remove inheriting permissions (with copy to make things easy)
  3. Remove local Users group access
  4. Grant the applicable domain groups read access
  5. Add Network Service read access (this is specific for IIS7 because of the integrated pipeline)

As you can see, the only Win2003 vs. Win2008 issue is granting Network Service access to the resource in question.

3
  • I think you answered your own question, if Domain Users have rights and the users are part of Domain Users then mystery solved. You can remove Domain Users if it's not needed. Commented Nov 25, 2009 at 0:28
  • Unfortunately you cannot remove the Domain Users access. This is part of a domain and you can't remove the Users or Domain Users access. "You are setting a deny permissions entry. Deny entries take precedence over allow entries. This means that if a user is a member of two groups, one that is allowed a permission and another that is denied the same permission, the user is denied that permission..." Commented Nov 25, 2009 at 18:57
  • @ovalsquare: when you remove permissions inheritance you can remove any and all entities from the permissions of the object, rgeardless of whether it's a domain or not. also, an explicit Allow permission will override an inherited Deny permission. technet.microsoft.com/en-us/library/cc736316(WS.10).aspx Commented Nov 25, 2009 at 19:14

1 Answer 1

3
+100

Troubleshooting permissions problems can be a challenge but at the end of the day here's what I think:

The users are able to access the directories regardless of their membership in the groups you've created because the users are members of the local users group, which has access to the directories. For the most part, permissions are cumulative and the least restrictive permissions apply except in cases of explicitly defined permissions (Allow or Deny). In order to achieve your desired restrictions you have two choices:

  1. Do what you've already done and define an explicit Deny on the directories to the groups that you don't want to have access.

  2. Remove permissions inheritance from the directories, remove the local users group from the permissions on the directories and define an explicit Allow on the directories to the groups that you do want to have access.

2
  • Number 2 did the trick with the addition of providing the local Network Service account applicable access (due to IIS7's integrated pipeline). Commented Nov 25, 2009 at 18:56
  • Glad you got it worked out. Commented Nov 25, 2009 at 19:11

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.