As your customers' businesses grow, their networks grow too. If you are responsible for maintaining the security of their data, it's wise to regularly check and update user access controls to ensure that confidential corporate data within folders, files and Web documents remain under lock and key. Luckily, it's easy to create rules in
IIS Web server permissions control access to virtual directories on the Web and apply to all users. To control access to specific data, start by configuring the IIS directory security features:
- Open the Internet Information Services Management Console and enter the Properties dialogue box of the Web site or subfolder you wish to control.
- Once inside, find the Directory tab. The Directory tab enables you to configure whether a user can browse the directory, view/change files and access the files' source code.
- Within this dialogue box, you should also find a Directory Security tab, where you can configure how your customers' Web servers authenticate a user's identity.
It is important to note that, because you're dealing with IIS Web server permissions, the new settings will apply to all users regardless of their specific NT File System (NTFS) access rights.
That brings us to the next step, which is to configure the NTFS permissions for Web documents. NTFS permissions control access to the physical directories on the server and apply to specific user groups. You can use them to define which users can access what content and how they can use it by creating a discretionary access control list (DACL) for each file or directory.
To create a DACL, select a particular Windows user account or group, and specify the access permission for it.
To change NTFS permissions for a directory or file:
- Open My Computer, select the directory or file you wish to secure, and open its property sheet.
- On the Security property sheet, choose the account you want to change and the types of access for the user or group. To grant access, select "Allow," and to deny access select "Deny."
This will help you to better control access to Web content, because IIS will first check that a user has the necessary Web permissions to access the requested resource before ensuring that they also have NTFS permissions. If a user does not have permission, they will receive a "403 Access Forbidden" message. If they have incorrect NTFS permissions, they will receive a "401 Access Denied" message.
If any of your customers are running Web sites that provide access to particularly sensitive data, such as their own customers' personal information, suggest that they install a Web server certificate to enable their Web server's Secure Sockets Layer (SSL) features. This forces users to establish an encrypted link in order to connect to particular directories or files. As a final measure, you can also map client certificates to Windows user accounts on their Web server. This approach, while providing strong authentication and access control, is more complex for you to administer, but is worthwhile if any sites that you manage need to confirm the identity of users before granting access to restricted content.
About the author
Michael Cobb, CISSP-ISSAP, is the founder and managing director of Cobweb Applications Ltd., a consultancy that offers IT training and support in data security and analysis. He co-authored the book IIS Security and has written numerous technical articles for leading IT publications including SearchSecurity.com.
This was first published in February 2007