IIS Web server permissions control access to virtual directories on the Web and apply to all users. To control access to specific data, start by configuring the IIS directory security features. To do this, open the Internet Information Services Management Console and enter the Properties dialogue box of the Web site or subfolder you wish to control. Once inside, find the Directory tab. It is the Directory tab that enables you to configure whether a user can browse the directory, view/change files and the access the files' source code. Within this dialogue box, you should also find a Directory Security tab. With this tab you can configure how your Web server authenticates a user's identity. It is important to note that, because you're dealing with IIS Web server permissions, the new settings will apply to all users regardless of their specific NT File System (NTFS) access rights.
That brings us to the next step, which is to configure the NTFS permissions for Web documents. NTFS permissions control access to the physical directories on the server and apply to specific user groups. You can use them to define which users can access what content and how they can use it by creating a discretionary access control list (DACL) for each file or directory. To create a DACL, select a particular Windows user account or group and specify the access permission for it. To change NTFS permissions for a directory or file, open My Computer, select the directory or file you wish to secure, and open its property sheet. Next, on the Security property sheet, choose the account you want to change and the types of access for the user or group. To grant access, select "Allow," and to deny access select "Deny." This will help you to better control access to your Web content, because IIS will first check that a user has the necessary Web permissions to access the requested resource before ensuring that they also have NTFS permissions. If a user does not have permission, they will receive a "403 Access Forbidden" message. If they have incorrect NTFS permissions, they will receive a "401 Access Denied" message.
If the content your clients and vendors will be accessing is particularly sensitive, consider installing a Web server certificate to enable your Web server's Secure Sockets Layer (SSL) features. This forces users to establish an encrypted link in order to connect to particular directories or files. As a final measure, you can also map client certificates to Windows user accounts on your Web server. This approach, while providing strong authentication and access control, is more complex to administer, but is worthwhile if your site needs to confirm the identity of users before granting access to restricted content.
About the author This was first published in May 2006
Michael Cobb, CISSP-ISSAP is the founder and managing director of Cobweb Applications Ltd., a consultancy that offers IT training and support in data security and analysis. He co-authored the book IIS Security and has written numerous technical articles for leading IT publications. Mike is the guest instructor for SearchSecurity's Web Security School and, as a SearchSecurity.com site expert, answers user questions on application and platform security.
This was first published in May 2006