IIS access by group?
The teachers have requested access to the student folders from off site.
"Sure thing." I say before I snicker at their ignorance about all things computerish as they walk away.
These student folder are divided up by graduation year, then by student. Teachers have read/write access to all files. Students have access to their grade year as read, and read/write access to their folder.
I set up IIS on the file server, made the root of the student folders home to IIS, (no index.php or html, so they can just lok at the folders/files for now).
I then went to the Authentication Access Controll in IIS and removed anon user and added Digest Authent for windows domain... Went back to the site and it requires me to add my user/pass..
I then logged out, and was also able to log in as a student and see the same as a teacher. (So they could technically cheat by looking at other students files.)
I do have the teachers and students into seperate groups on the domain however, so is there a way to only give access to the Teachers group in IIS?
If the site is using windows authentication and is logged in as the student then NTFS permissions will apply. I would check out if the same student account is able to view the file listing directly by mapping a drive to the UNC path using student credentials.
I would have serious doubts about opening this to the outside world without at least SSL on top of the windows authentication as otherwise all of the files and even authentication can be sent in plain text which is exceptionally insecure.
You may be able to lock it down a bit more with a web.config file in the root folder that they are presented with first or on subsiquent high level folders:
Thank you kindly! I'll test that out today.
I would't expose your server like that it isn't secure. I would use a SSL-VPN solution with a webinterface like SonicWall or Cisco VPN
Why "snicker at their ignorance"? From what you've written they've not shown any ignorance - they've asked for something perfectly reasonable (given that they already have that access inside school, why shouldn't they have it outside school? It's possible to argue that teachers shouldn't have blanket access at all but that doesn't seem to be the point you're making)
Originally Posted by jmair