IIS Security
Saw this great blog post about IIS Security written by Tobin from the IIS Team. It covers the following topics with IIS Security:
- Ghosts of IIS Security Past
- Improvements in IIS 6
- Improvements in IIS 7.x
It’s a must read for everyone working with IIS.
Read the blog post here.
Categories: IIS
Hi, I have one question there doesn’t seem to be much info on – I’m hoping you can help.
We have an IIS website using Integrated Windows Authentication which has to be accessible to everyone in the company – all working fine, but we noticed that with the current settings (share permissions: everyone full access — Security: authenticated users Read access), everybody can also access the windows file share, and thus open the .asp, .config, … etc files which sometimes contain passwords! – How can we grant them access to the website, without also granting access to the actual file share?
Thanks in advance!
Fred
Hi, figured it out, posting for whoever ponders this question as well – it’s very straightforward really, just got confused by the best practice we typically use for shares, where we leave the share permissions wide open, and handle security on the Security tab — in this situation however, that’s a bad idea:
when a website uses Integrated Windows Security, these rules apply:
+ the access to the website is determined by the Security tab
+ if necessary, you can share the folder, and the access to the share should then be managed by configuring the Share Permissions (so only give the administrators of the website access to the share)
Cool, thanks for replying back with your solution.