Web and FTP Permissions in IIS 5.0

Author's note: This article is about IIS 5.0 permissions. Although much of the theory will carry over into an IIS 4.0 environment, minor differences will remain.

New administrators trying to set up their first IIS-based Web server or FTP server from scratch find life pretty easy. During Windows 2000 OS installation, you simply tell the wizard that you want WWW and FTP services. After rebooting, you're the proud owner of a shiny new Web or FTP server. But those anonymous servers don't cover every requirement of WWW and FTP services. Some sites require more security, such as usernames and passwords.

You can offer WWW and FTP services anonymously, or the services can require users to provide credentials before they grant access. You can use Secure Sockets Layer (SSL) to make sure users aren't sending those credentials in cleartext. Using one type of authentication in IIS 5.0, you can even require users to have a certificate to access your Web site. (Unfortunately, FTP doesn't have the ability to require a certificate.) In IIS 5.0 and IIS 4.0, the default user account that IIS uses is usually called IUSR_computername. IIS uses this account for anonymous connections to both the Web service and the FTP service. (In Win2K, Microsoft recommends that you use separate accounts for the FTP and WWW services.)

Two distinct types of permissions exist for the WWW and FTP services: IIS and NTFS. People frequently confuse these permissions, although each has unique characteristics. You use NTFS permissions to restrict group and individual user access to files. You use IIS permissions to limit access to the Web server. I compare IIS and NTFS permissions and show you how these permissions work together.

Grant or Deny: Deciding Who Has Access
IIS goes through a complete security-check process before it returns content to the requesting client. As the server receives requests from the client, the server considers these questions in sequential order:

• Is the IP address permitted? (IP restrictions)
• Does the request pass the appropriate authentication? (User authentication)
• Does the Web server allow this type of access? (IIS permissions)
• Do the NTFS permissions allow access to this file? (NTFS permissions)

Only if the answer to all these questions is yes does the Web server grant access to the resource the Web client is requesting. The server evaluates the IP address against the Web server's list of IP addresses that have been granted or denied access to that resource. You grant or deny access on the IP Address and Domain Name Restrictions dialog box, which Figure 1 shows.

If you've granted access, then the Web server passes an authentication request to the OS. (For more information about IIS 5.0 authentication types, see Brett Hill, "IIS 101: The Basics of IIS Authentication," http://www.iisadministrator.com, InstantDoc ID 15843.) If the authentication request passes, the OS considers the IIS permissions followed by the NTFS permissions.

Setting the Appropriate IIS Permissions
Administrators often overassign IIS permissions to directories that contain scripts and executable files. In the properties for any directory or virtual directory, you must choose one of three levels of Execute permissions, which affect application security. The three choices that appear in the Execute Permissions drop-down list, which Figure 2 shows, are

• None—This directory has no executable files; therefore, the server won't run scripts or executable files in this directory.
• Scripts only—If you set this directory to execute only scripts, only scripts such as .asp files can run on the server. The server can execute only those script types you define in the Web server's Application Mappings list, which you access by clicking Configuration on the Home Directory tab of the Web site's Properties dialog box.
• Scripts and Executables—Other types of executable files can run on the server. Application types aren't limited to the Application Mappings list as they are in the Scripts only permission.

When you've assigned the appropriate IIS permissions for your Web server, you can move on to NTFS permissions and focus on limiting your users to the lowest necessary number of resources.

Limiting Web Server Permissions
Now that you've decided on authentication and IIS permissions, you can focus exclusively on NTFS permissions. If you're installing a new Web server for the first time, you can easily take away all the NTFS permissions to directories and selectively allow access. Going back after the fact and removing permissions from an existing production Web server is far more difficult. Be sure to test any potential changes in a test environment before applying the changes to a production Web server.

You have several choices of groups with which to assign NTFS permissions, and each group has unique characteristics. Let's briefly look at four choices—three built-in groups and one anonymous user account.

• Everyone—The Everyone group represents everyone known to the Web server. This group includes anyone who presents credentials to the Web server or who could successfully log on to the Web server anonymously. Many new IIS servers use the Everyone group because it's the default group you use to assign permissions when you create the server.
• IUSR_computername—If you're using Anonymous authentication, use the IUSR_computername account to assign permissions.
• Interactive—If you're using Basic authentication, the Interactive built-in group represents any and all users who use Basic authentication or the IUSR_computername account to log on (only if you disable the Allow IIS to control password feature).
• Network User—If you're using Digest or Integrated Windows authentication, the Network user built-in group represents any users who use those authentication methods to log on. This group also controls the Anonymous account (if you enable the Allow IIS to control password feature).

If you use Microsoft FrontPage to manage your Web site, you can use an entirely different set of groups. Those groups are

• FP Web Name\Admins
• FP Web Name\Authors
• FP Web Name\Browsers

   Previous  [1]  2  Next