IIS 6 Access control

[Ryan]

Howdy,

We use IIS 6 to host intranet pages, used as pupils' homepage in IE. I want to roll this out for staff too, so have created a /staff/ directory in /wwwroot/ which i intend to set as staff's homepage.

How do i stop the pupils (sec. grp) viewing this?

Ta in advance.

[apeo]

Do staff & students authenticate to enter the site?

If there isnt any authentication then i guess theres nothing you can do in iis so you probably need to block parts of the site from students using a webfilter/proxy.

If authentication are setup then you just need to set permissions(ntfs) on the directory.

[Ryan]

Can you explain more by authenticate on entry? Where's this set up in IIS? Haven't been elbow-deep in IIS too much so far

Anonymous access is set up - does disabling this force clients to authenticate?

[apeo]

In IIS you can setup authentication on the whole website of which ever folder/virtual directory you want. To get at it you just right click and go to properties, Directory Security. Under Authentication and Access Control>Edit. Here you untick Enable Annonymous Access and select the authentication method you want to setup. If you untick Enable Annoymous Access, yes it will need to authenticate to gain access.

[SYNACK]

If you are using IE on the internal network you should be able to set up the authentication method on the staff folder to use Windows Authentication and then only allow the staff group to view it. Thats how I setup my internal admin site.

[Netman]

If you are using IE on the internal network you should be able to set up the authentication method on the staff folder to use Windows Authentication and then only allow the staff group to view it. Thats how I setup my internal admin site.

Yep, change the authentication method for the site to basic or windows and then control access via the NTFS permissions on the folder holding the site files. Most restrictive always wins as per usual...

[Ryan]

I did try that earlier - disable anonymous access and enable Windows auth. When i tested it, it popped up a username and password dialog :/ Not quite what i'm after. I was, though, testing from my machine running IE as a test pupil. I'll go try on a test PC actually logged in as said test student account...

Editypoo: Yep, that's the puppy. Cheers lads!

[SYNACK]

I did try that earlier - disable anonymous access and enable Windows auth. When i tested it, it popped up a username and password dialog :/

You may need to make sure that IE is set to allow integrated authentication - see attachment - there should be an option in GP to set this domain wide.

[Ryan]

Checked it and it's enabled for the test account, so will be the same for all students. It must be a discrepancy between using "Run as" and being fully logged on. Who knows. It's not letting them in anyway, so job done

[SYNACK]

This should do it in GP:
User Configuration > Administrative Templates > Windows Components > Internet Explorer > Internet Control Pannel > Security Page > Intranet Zone > Logon Options : Automatic logon with current user name and password

This is for the IE7 ADM templates and relys on your site being detected as part of the intranet. You can change it to add this behavior to other zones though.

Edit: Ah looks like its already configured properly, I'll leve this here just in case it helps anyone else

[Ryan]

Thanks dude. Have checked and enabled that explicitly. Won't hurt.

[Ryan]

Hmm. Using a test staff account, it displays the "Connect to" dialog box - arg.

Everything is default in IIS. I have set the /staff/ dir to deny students. Disabled anan access and enabled Integrated Windows auth.

Ideas?

[apeo]

I assume you've already altered gpo for staff as instructed by synack above so just to see exactly whats wrong, try entering the user details and see if you have access i.e. Username: DomainName\TestStaff, Password: password. If you can gain access to the folder then you know its problem with your authentication method and if you cant, its something to do with permissions. Is Integrated Windows Authentication the only thing ticked?

[Netman]

Hmm. Using a test staff account, it displays the "Connect to" dialog box - arg.

Everything is default in IIS. I have set the /staff/ dir to deny students. Disabled anan access and enabled Integrated Windows auth.

Ideas?

Is the site showing in IE as in the intranet zone or internet zone? If the latter, it will always ask for credentials. It does help if the url is something like http://machinename/staff rather than a fqdn or IP address...

[Ryan]

Thx mate, yep - i've gotten as far as that. There's a few niggles, but i've almost cracked it. Mostly lack of experience on my part and an improperly configured IIS.