I am running a Win2k machine dedicated to the role of a web server. This
server is running a single public web site. The web site in question has a
secure area. What I mean by secure, is that it requires a username/password
to get in.

As I do not have a need for overly-strict security for the site (and other
reasons), I have opted to use Basic Authentication. In general, I have no
problems with this setup. I have created users, set up the Basic Auth in
IIS and have set the appropriate level of security on the folders in
question via the OS. When a user accesses the "secure" area of the site, he
is correctly prompted for his username/password and everyone is happy.

My question/concern is this; as I have to create an OS user account for each
web site user, this would seem to give them at least some access to the box
in general due to the fact that "Everyone" has certain rights to some
resources of the box. These "users" do not need any access to the box, not
do I want them to have any. I suppose I could comb the directory structure
and remove/restrict the "Everyone" access, but that seems like a very
onerous task to say the least. Are there any other options of am I
misunderstanding the situation at all?

TIA

There are a number of articles out there on NTFS permissions to change
to improve security on IIS, and you can also find and edit the various
Group Policy template files within windowsroot\security\templates and
available for download from www.microsoft.com/download such as
hisecweb. These files can be edited either using Notepad or MMC.EXE /
Add/Remove Security Templates Snap-In. You can choose to apply just
the NTFS portions or the whole thing. Some people do encounter
problems when they apply the entire hisecweb template without knowing
what it does or how to undo it, so be careful.

The following sites also have hardening checklists and/or information
on NTFS permissions that you might change:

www.microsoft.com/technet/security
www.nsa.gov
www.iisfaq.com
http://securityadmin.info/faq.htm#harden

Regarding your specific question about how to change permissions for
these users, it might be better to create a group containing these
users, and Deny permissions to the entire hard drive paritition for
this group, then remove the deny permission for the web folders. If
you did this, you would need to be careful that you never put the
server administrators or system into this folder, or else you will be
denied access and have big problems. Deny permission overrides any
other permission granted elsewhere, even for admininstrators. Note
that AFAIK, simply putting users into the Guests group really does
nothing much to change those users permissions.

If you run into any problems, see the articles from Microsoft and
www.iisfaq.com on minimum default NTFS permissions needed for IIS to
run, and/or use Windows auditing on file access failures to see who
was denied permission to what. Note that there are folders within the
windowsroot folder and program files folder that these users might
need access to.

http://securityadmin.info/faq.htm#auditing


[quoted text, click to view]