As your customers' businesses grow, their networks grow too. If you are responsible for maintaining the security of their data, it's wise to regularly check and update user access controls to ensure that confidential corporate data within folders, files and Web documents remain under lock and key. Luckily, it's easy to create rules in Internet Information Services (IIS) to specify or restrict what information can be accessed. Let's look at how to configure IIS Web server permissions to provide proper and secure access controls that not only satisfy your customer's end users, but also ensure better data security.
IIS Web server permissions control access to virtual directories on the Web and apply to all users. To control access to specific data, start by configuring the IIS directory security features:
- Open the Internet Information Services Management Console and enter the Properties dialogue box of the Web site or subfolder you wish to control.
- Once inside, find the Directory tab. The Directory tab enables you to configure whether a user can browse the directory, view/change files and access the files' source code.
- Within this dialogue box, you should also find a Directory Security tab, where you can configure how your customers'
Requires Membership to View
To gain access to this and all member only content, please provide the following information:
By submitting your registration information to SearchSecurityChannel.com you agree to receive email communications from the TechTarget network of sites, and/or third party content providers that have relationships with TechTarget, based on your topic interests and activity, including updates on new content, event notifications, new site launches and market research surveys. Please verify all information and selections above. You may unsubscribe at any time from one or more of the services you have selected by editing your profile, unsubscribing via email or by contacting us here
- Your use of SearchSecurityChannel.com is governed by our Terms of Use
- We designed our Privacy Policy to provide you with important disclosures about how we collect and use your registration and other information. We encourage you to read the Privacy Policy, and to use it to help make informed decisions.
- If you reside outside of the United States, by submitting this registration information you consent to having your personal data transferred to and processed in the United States.
- Web servers authenticate a user's identity.
It is important to note that, because you're dealing with IIS Web server permissions, the new settings will apply to all users regardless of their specific NT File System (NTFS) access rights.
That brings us to the next step, which is to configure the NTFS permissions for Web documents. NTFS permissions control access to the physical directories on the server and apply to specific user groups. You can use them to define which users can access what content and how they can use it by creating a discretionary access control list (DACL) for each file or directory.
To create a DACL, select a particular Windows user account or group, and specify the access permission for it.
To change NTFS permissions for a directory or file:
- Open My Computer, select the directory or file you wish to secure, and open its property sheet.
- On the Security property sheet, choose the account you want to change and the types of access for the user or group. To grant access, select "Allow," and to deny access select "Deny."
This will help you to better control access to Web content, because IIS will first check that a user has the necessary Web permissions to access the requested resource before ensuring that they also have NTFS permissions. If a user does not have permission, they will receive a "403 Access Forbidden" message. If they have incorrect NTFS permissions, they will receive a "401 Access Denied" message.
If any of your customers are running Web sites that provide access to particularly sensitive data, such as their own customers' personal information, suggest that they install a Web server certificate to enable their Web server's Secure Sockets Layer (SSL) features. This forces users to establish an encrypted link in order to connect to particular directories or files. As a final measure, you can also map client certificates to Windows user accounts on their Web server. This approach, while providing strong authentication and access control, is more complex for you to administer, but is worthwhile if any sites that you manage need to confirm the identity of users before granting access to restricted content.
About the author
Michael Cobb, CISSP-ISSAP, is the founder and managing director of Cobweb Applications Ltd., a
consultancy that offers IT training and support in data security and analysis. He co-authored the
book IIS Security and has written numerous technical articles for leading IT publications
including SearchSecurity.com.
This was first published in February 2007