IIS security: Configure Web server permissions for better access control

IIS Web server permissions control access to virtual directories on the Web and apply to all users. To control access to specific data, start by configuring the IIS directory security features. To do this, open the Internet Information Services Management Console and enter the Properties dialogue box of the Web site or subfolder you wish to control. Once inside, find the Directory tab. It is the Directory tab that enables you to configure whether a user can browse the directory, view/change files and the access the files' source code. Within this dialogue box, you should also find a Directory Security tab. With this tab you can configure how your Web server authenticates a user's identity. It is important to note that, because you're dealing with IIS Web server permissions, the new settings will apply to all users regardless of their specific NT File System (NTFS) access rights.

More Information Want to learn how to map Windows client certificates? Read this Ask the Expert Q&A. Attend Web Security School to learn how to secure your IIS Web server. Visit our resource center to and receive tactics for better access control.

That brings us to the next step, which is to configure the NTFS permissions for Web documents. NTFS permissions control access to the physical directories on the server and apply to specific user groups. You can use them to define which users can access what content and how they can use it by creating a discretionary access control list (DACL) for each file or directory. To create a DACL, select a particular Windows user account or group and specify the access permission for it. To change NTFS permissions for a directory or file, open My Computer, select the directory or file you wish to secure, and open its property sheet. Next, on the Security property sheet, choose the account you want to change and the types of access for the user or group. To grant access, select "Allow," and to deny access select "Deny." This will help you to better control access to your Web content, because IIS will first check that a user has the necessary Web permissions to access the requested resource before ensuring that they also have NTFS permissions. If a user does not have permission, they will receive a "403 Access Forbidden" message. If they have incorrect NTFS permissions, they will receive a "401 Access Denied" message.

If the content your clients and vendors will be accessing is particularly sensitive, consider installing a Web server certificate to enable your Web server's Secure Sockets Layer (SSL) features. This forces users to establish an encrypted link in order to connect to particular directories or files. As a final measure, you can also map client certificates to Windows user accounts on your Web server. This approach, while providing strong authentication and access control, is more complex to administer, but is worthwhile if your site needs to confirm the identity of users before granting access to restricted content.

About the author
Michael Cobb, CISSP-ISSAP is the founder and managing director of Cobweb Applications Ltd., a consultancy that offers IT training and support in data security and analysis. He co-authored the book IIS Security and has written numerous technical articles for leading IT publications. Mike is the guest instructor for SearchSecurity's Web Security School and, as a SearchSecurity.com site expert, answers user questions on application and platform security.

This tip originally appeared on SearchSecurity.com.,

Rate this Tip To rate tips, you must be a member of SearchWindowsSecurity.com. Register now to start rating these tips. Log in if you are already a member. Submit a Tip Digg This!     StumbleUpon     Del.icio.us    RELATED CONTENT Access Control Free security tools that can improve IIS security How can I prevent Internet access with Windows SBS? Step-by-Step Guide: Securing Web servers Tracking who's logged on to Windows Server 2003 domain at any given time Disabling services to secure your Web and database servers Windows networking mistakes: The five most common An introduction to Active Directory Federation Services Blocking software installation at an Internet cafe SearchSecurity.com's Web Security School Lock down IIS Access Control Research Internet Information Services Microsoft tweaks IIS patch Microsoft patches seven July security holes, five critical Internet Information Services Security Journal Microsoft Windows Network Security Are tougher NACs needed in your shop? Setting your Windows security assessment expectations, step by step Restricting user permissions in folders Windows XP folder permissions management NTFS permissions control: Who will watch the watcher? Top Windows server hardening tips of 2006 Safe and secure Windows logging practices Eliminate zero-day threats with virtual server technology Permitting Ping: ICMP Exceptions Stop unauthorized access RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary Security Descriptor Definition Language  (SearchWindowsSecurity.com) RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.