IIS and user account permissions

S

sap

Limp Gawd
Joined
Feb 3, 2006
Messages
372
I run my own server with IIS on Windows 7 Pro, using authentication. This server has one user that is used to do everything. I can do RDP, FTP, and HTTPS all from this one user. I would like to give out a generic username/password that can be used by friends and family. Considering the power of my user, I would like to limit access so that the generic user can only access the HTTPS side of the server, no RDP or FTP. Has anyone done this on Windows? I am not really sure what I would need to do with the user account to disable everything but this, and I'm not really sure what to look for on google.

I am guessing the best way to do this would be to create a new user and then change the local policy to prevent remote logons and changing folder permissions to read-only for that user. Does that sound about right?
 
What are you trying to accomplish? File sharing using webDAV via HTTPS? Or are you running a website you only want a few to access. You can set up another FTP server and create your own user accounts using FileZilla FTP server, which is very simple to set up.
 
It's just an HTTPS site. No FTP as it's not secured (secured FTP cannot be done due to firewall issues).
 
if they're coming in from outside, couldn't you just block ports 80 and 21 on your router?
 
Do you have a SSL cert setup on the server? Setting up HTTPS communication is only a few extra steps beyond HTTP.

Edit: There's some contradictory details going on here -- Is this an actual website with webpages, or simply a defined website in IIS with "directory browsing" turned on?
 
The server is already set up; this is a question about securing a site, not setting one up. I'm not sure you guys understand the problem at all. I want to create a second user in Windows that only has access to the website. No RDP and no FTP. Blocking ports is not an option. Installing additional software is not an option. The content or structure of the website is not the issue.

Let me rephrase my original question: I want to create a website using IIS' basic authentication. When I create the user in Windows, I don't want that user to be able to access anything else on the server, even if they had physical access to it. What, within Windows, needs to be changed to give this user the strictest access rights possible - allowing them to only access this site and nothing else?
 
sap said:
Let me rephrase my original question: I want to create a website using IIS' basic authentication. When I create the user in Windows, I don't want that user to be able to access anything else on the server, even if they had physical access to it. What, within Windows, needs to be changed to give this user the strictest access rights possible - allowing them to only access this site and nothing else?
Click to expand...
Given this, it actually seems quite the opposite -- I'm not sure you understand where the boundaries are in the different security models, and how far IIS's Basic Auth gets you OOB.

IIS Basic Auth controls "general" access to the site. It's configured in IIS, and only checked there. But what you're describing is a server-side web application. The web application itself specific into the pages and content, such as certain links/files/pages/whatever, that are only accessible for certain users/groups. This may be your own website (whose capabilities have yet to be disclosed), or perhaps some custom ASP.Net application.

If you're still confused, then try explaining what you want to achieve from the perspective of a use-case.
 
Last edited:
I don't want that user to be able to access anything else on the server, even if they had physical access to it
Click to expand...

Sounds to me like you should not be creating an account for this user in the first place. If access to the website is the only thing you want them to have, then they can access the website anonymously like everybody else.
 
maw said:
Sounds to me like you should not be creating an account for this user in the first place. If access to the website is the only thing you want them to have, then they can access the website anonymously like everybody else.
Click to expand...

So now any person can log into the site. Great idea :confused:

PTNL said:
Given this, it actually seems quite the opposite -- I'm not sure you understand where the boundaries are in the different security models, and how far IIS's Basic Auth gets you OOB.
Click to expand...

I think it's probably you who does not fully understand how basic authentication works. Here's a hint:

1) Create a user
2) Open gpedit.msc
3) Go to: Computer Configuration > Windows Settings > Security Settings > Local Policies > User Rights Assignment
4) Add the new user's name to "Deny log on locally"
5) Try to log on locally with that user - didn't work, eh? Surprising...
6) Now log in to your website with that user from IIS - oh shit, it worked!?

Perhaps I've come to the wrong place. Never mind, I'll tinker with it on my own and figure it out.
 
sap said:
Perhaps I've come to the wrong place. Never mind, I'll tinker with it on my own and figure it out.
Click to expand...

yeah, maybe that is the best solution since I don't think you realize how confusing your questions are to everyone else.
 
sap said:
I think it's probably you who does not fully understand how basic authentication works. Here's a hint:

1) Create a user
2) Open gpedit.msc
3) Go to: Computer Configuration > Windows Settings > Security Settings > Local Policies > User Rights Assignment
4) Add the new user's name to "Deny log on locally"
5) Try to log on locally with that user - didn't work, eh? Surprising...
6) Now log in to your website with that user from IIS - oh shit, it worked!?

Perhaps I've come to the wrong place. Never mind, I'll tinker with it on my own and figure it out.
Click to expand...
LOL.... Of course that test didn't meet your expectations. That's an apples-to-oranges comparison.

You've definitely got some homework to do, but I'm not sure what to suggest first: authentication versus authorization, or local machine access versus network/UNC/folder/file access. What you still fail to realize is that all of this sits outside of what you're trying to accomplish -- Site/page level content restrictions and filtering.
 
You must log in or register to reply here.
Back
Top