+ Post New Thread
Results 1 to 15 of 15
Windows Thread, IIS 6 Access control in Technical; Howdy, We use IIS 6 to host intranet pages, used as pupils' homepage in IE. I want to roll this ...
  1. #1
    Ryan's Avatar
    Join Date
    Jan 2008
    Location
    Scotland
    Posts
    537
    Thank Post
    12
    Thanked 16 Times in 15 Posts
    Blog Entries
    1
    Rep Power
    30

    IIS 6 Access control

    Howdy,

    We use IIS 6 to host intranet pages, used as pupils' homepage in IE. I want to roll this out for staff too, so have created a /staff/ directory in /wwwroot/ which i intend to set as staff's homepage.

    How do i stop the pupils (sec. grp) viewing this?

    Ta in advance.

  2. #2
    apeo's Avatar
    Join Date
    Sep 2005
    Location
    Lost
    Posts
    1,612
    Thank Post
    95
    Thanked 115 Times in 111 Posts
    Rep Power
    42
    Do staff & students authenticate to enter the site?

    If there isnt any authentication then i guess theres nothing you can do in iis so you probably need to block parts of the site from students using a webfilter/proxy.

    If authentication are setup then you just need to set permissions(ntfs) on the directory.

  3. #3
    Ryan's Avatar
    Join Date
    Jan 2008
    Location
    Scotland
    Posts
    537
    Thank Post
    12
    Thanked 16 Times in 15 Posts
    Blog Entries
    1
    Rep Power
    30
    Can you explain more by authenticate on entry? Where's this set up in IIS? Haven't been elbow-deep in IIS too much so far

    Anonymous access is set up - does disabling this force clients to authenticate?

  4. #4
    apeo's Avatar
    Join Date
    Sep 2005
    Location
    Lost
    Posts
    1,612
    Thank Post
    95
    Thanked 115 Times in 111 Posts
    Rep Power
    42
    In IIS you can setup authentication on the whole website of which ever folder/virtual directory you want. To get at it you just right click and go to properties, Directory Security. Under Authentication and Access Control>Edit. Here you untick Enable Annonymous Access and select the authentication method you want to setup. If you untick Enable Annoymous Access, yes it will need to authenticate to gain access.

  5. #5

    SYNACK's Avatar
    Join Date
    Oct 2007
    Posts
    11,271
    Thank Post
    884
    Thanked 2,749 Times in 2,322 Posts
    Blog Entries
    11
    Rep Power
    785
    If you are using IE on the internal network you should be able to set up the authentication method on the staff folder to use Windows Authentication and then only allow the staff group to view it. Thats how I setup my internal admin site.

  6. #6
    Netman's Avatar
    Join Date
    Jul 2005
    Location
    56.343515, -2.804118
    Posts
    911
    Thank Post
    367
    Thanked 193 Times in 144 Posts
    Rep Power
    56
    Quote Originally Posted by SYNACK View Post
    If you are using IE on the internal network you should be able to set up the authentication method on the staff folder to use Windows Authentication and then only allow the staff group to view it. Thats how I setup my internal admin site.
    Yep, change the authentication method for the site to basic or windows and then control access via the NTFS permissions on the folder holding the site files. Most restrictive always wins as per usual...

  7. #7
    Ryan's Avatar
    Join Date
    Jan 2008
    Location
    Scotland
    Posts
    537
    Thank Post
    12
    Thanked 16 Times in 15 Posts
    Blog Entries
    1
    Rep Power
    30
    I did try that earlier - disable anonymous access and enable Windows auth. When i tested it, it popped up a username and password dialog :/ Not quite what i'm after. I was, though, testing from my machine running IE as a test pupil. I'll go try on a test PC actually logged in as said test student account...

    Editypoo: Yep, that's the puppy. Cheers lads!
    Last edited by Ryan; 22nd May 2008 at 02:48 PM.

  8. #8

    SYNACK's Avatar
    Join Date
    Oct 2007
    Posts
    11,271
    Thank Post
    884
    Thanked 2,749 Times in 2,322 Posts
    Blog Entries
    11
    Rep Power
    785
    Quote Originally Posted by Ryan View Post
    I did try that earlier - disable anonymous access and enable Windows auth. When i tested it, it popped up a username and password dialog :/
    You may need to make sure that IE is set to allow integrated authentication - see attachment - there should be an option in GP to set this domain wide.
    Attached Images Attached Images

  9. #9
    Ryan's Avatar
    Join Date
    Jan 2008
    Location
    Scotland
    Posts
    537
    Thank Post
    12
    Thanked 16 Times in 15 Posts
    Blog Entries
    1
    Rep Power
    30
    Checked it and it's enabled for the test account, so will be the same for all students. It must be a discrepancy between using "Run as" and being fully logged on. Who knows. It's not letting them in anyway, so job done

  10. #10

    SYNACK's Avatar
    Join Date
    Oct 2007
    Posts
    11,271
    Thank Post
    884
    Thanked 2,749 Times in 2,322 Posts
    Blog Entries
    11
    Rep Power
    785
    This should do it in GP:
    User Configuration > Administrative Templates > Windows Components > Internet Explorer > Internet Control Pannel > Security Page > Intranet Zone > Logon Options : Automatic logon with current user name and password

    This is for the IE7 ADM templates and relys on your site being detected as part of the intranet. You can change it to add this behavior to other zones though.

    Edit: Ah looks like its already configured properly, I'll leve this here just in case it helps anyone else
    Last edited by SYNACK; 22nd May 2008 at 03:03 PM.

  11. #11
    Ryan's Avatar
    Join Date
    Jan 2008
    Location
    Scotland
    Posts
    537
    Thank Post
    12
    Thanked 16 Times in 15 Posts
    Blog Entries
    1
    Rep Power
    30
    Thanks dude. Have checked and enabled that explicitly. Won't hurt.

  12. #12
    Ryan's Avatar
    Join Date
    Jan 2008
    Location
    Scotland
    Posts
    537
    Thank Post
    12
    Thanked 16 Times in 15 Posts
    Blog Entries
    1
    Rep Power
    30
    Hmm. Using a test staff account, it displays the "Connect to" dialog box - arg.

    Everything is default in IIS. I have set the /staff/ dir to deny students. Disabled anan access and enabled Integrated Windows auth.

    Ideas?

  13. #13
    apeo's Avatar
    Join Date
    Sep 2005
    Location
    Lost
    Posts
    1,612
    Thank Post
    95
    Thanked 115 Times in 111 Posts
    Rep Power
    42
    I assume you've already altered gpo for staff as instructed by synack above so just to see exactly whats wrong, try entering the user details and see if you have access i.e. Username: DomainName\TestStaff, Password: password. If you can gain access to the folder then you know its problem with your authentication method and if you cant, its something to do with permissions. Is Integrated Windows Authentication the only thing ticked?

  14. #14
    Netman's Avatar
    Join Date
    Jul 2005
    Location
    56.343515, -2.804118
    Posts
    911
    Thank Post
    367
    Thanked 193 Times in 144 Posts
    Rep Power
    56
    Quote Originally Posted by Ryan View Post
    Hmm. Using a test staff account, it displays the "Connect to" dialog box - arg.

    Everything is default in IIS. I have set the /staff/ dir to deny students. Disabled anan access and enabled Integrated Windows auth.

    Ideas?
    Is the site showing in IE as in the intranet zone or internet zone? If the latter, it will always ask for credentials. It does help if the url is something like http://machinename/staff rather than a fqdn or IP address...

  15. #15
    Ryan's Avatar
    Join Date
    Jan 2008
    Location
    Scotland
    Posts
    537
    Thank Post
    12
    Thanked 16 Times in 15 Posts
    Blog Entries
    1
    Rep Power
    30
    Thx mate, yep - i've gotten as far as that. There's a few niggles, but i've almost cracked it. Mostly lack of experience on my part and an improperly configured IIS.



SHARE:
+ Post New Thread

Similar Threads

  1. Replies: 16
    Last Post: 24th July 2009, 11:49 PM
  2. Access Control Of Website
    By SYSMAN_MK in forum Web Development
    Replies: 5
    Last Post: 15th April 2008, 10:37 PM
  3. Network Access Control Solutions
    By Simcfc73 in forum Network and Classroom Management
    Replies: 5
    Last Post: 23rd October 2007, 02:37 PM
  4. Content Control
    By kamikaze in forum Network and Classroom Management
    Replies: 4
    Last Post: 30th July 2007, 08:02 AM
  5. Vista UAC - User Access Control
    By Nij.UK in forum Windows Vista
    Replies: 17
    Last Post: 6th June 2007, 11:19 AM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •