| Groups | Blog | Home |
iis security : Need to restrict access to an EXE in IIS6
Hello!
I have my web site running on Windows Server 2003 Standard with IIS 6.0. I have an executable file, support.exe, that I want to have accessible to my clients, but not to anyone else. I would like it to be available via http://www.mydomainname.com/support.exe so it is easy to download, but I cannot get it to be restricted. Even if I set the NTFS permissions on the file (in the wwwroot folder) to Deny for Everyone, it will still download when I go to the web site. How can I make it so that only a certain user name can download or run that file? All Googled out and brain dead! Gregg Hill
This is standard procedure.
Enable authentication protocol and disable anonymous access for support.exe Make sure "Scripts and Executables" is not enabled because you want support.exe to be downloaded, not executed. Better yet, set Execute Permissions to "None" so that it can only be downloaded. Set NTFS permission on support.exe to only allow Read access to the authenticated user that your Clients will authenticate with. I suspect that /support.exe was already cached prior to you changing NTFS permissions so it remained downloadable for a short period of time until the cache clears. -- //David IIS http://blogs.msdn.com/David.Wang This posting is provided "AS IS" with no warranties, and confers no rights. // [quoted text, click to view] "Gregg Hill" <bogus@nowhere.com> wrote in message news:eVLSmu7IGHA.528@TK2MSFTNGP12.phx.gbl... > Hello! > > I have my web site running on Windows Server 2003 Standard with IIS 6.0. I > have an executable file, support.exe, that I want to have accessible to my > clients, but not to anyone else. > > I would like it to be available via > http://www.mydomainname.com/support.exe so it is easy to download, but I > cannot get it to be restricted. Even if I set the NTFS permissions on the > file (in the wwwroot folder) to Deny for Everyone, it will still download > when I go to the web site. > > How can I make it so that only a certain user name can download or run > that file? > > All Googled out and brain dead! > > Gregg Hill >
David,
Thank you for your response. I went into Windows Explorer and set the NTFS permissions on the support.exe file (under wwwroot) with Administrators and System set to Full Control, and the particular client user name to Read. I then looked at the Default Web Site using IIS Manager, and set Execute Permissions to None (it was on Scripts only). I disabled anonymous access on the support.exe file using IIS Manager. My original problem was trying to get it to prompt for name and password. I succeeded in getting that far before, then applied your suggestions as well. The behavior I got before and still get now is that I get the prompt, but no matter how I enter the user name and password, it keeps going back to the prompt. The server is not a domain controller, but is a stand-alone server. I tried all of these combinations: username and password domain\username and password computername\username and password workgroupname\username and password Nothing works. I keep getting bounced back to the prompt. I have tried this from three different computers at three different sites to eliminate caching as a problem. Gregg Hill [quoted text, click to view] "David Wang [Msft]" <someone@online.microsoft.com> wrote in message news:uDbIMB8IGHA.2912@tk2msftngp13.phx.gbl... > This is standard procedure. > > Enable authentication protocol and disable anonymous access for > support.exe > > Make sure "Scripts and Executables" is not enabled because you want > support.exe to be downloaded, not executed. Better yet, set Execute > Permissions to "None" so that it can only be downloaded. > > Set NTFS permission on support.exe to only allow Read access to the > authenticated user that your Clients will authenticate with. > > > I suspect that /support.exe was already cached prior to you changing NTFS > permissions so it remained downloadable for a short period of time until > the cache clears. > > -- > //David > IIS > http://blogs.msdn.com/David.Wang > This posting is provided "AS IS" with no warranties, and confers no > rights. > // > > "Gregg Hill" <bogus@nowhere.com> wrote in message > news:eVLSmu7IGHA.528@TK2MSFTNGP12.phx.gbl... >> Hello! >> >> I have my web site running on Windows Server 2003 Standard with IIS 6.0. >> I have an executable file, support.exe, that I want to have accessible to >> my clients, but not to anyone else. >> >> I would like it to be available via >> http://www.mydomainname.com/support.exe so it is easy to download, but I >> cannot get it to be restricted. Even if I set the NTFS permissions on the >> file (in the wwwroot folder) to Deny for Everyone, it will still download >> when I go to the web site. >> >> How can I make it so that only a certain user name can download or run >> that file? >> >> All Googled out and brain dead! >> >> Gregg Hill >> > >
http://blogs.msdn.com/david.wang/archive/2005/12/31/HOWTO_Basics_of_IIS6_Troubleshooting.aspx
Please provide the IIS web logfile entries which correspond to your failed attempts. In particular, the HTTP status code, substatus code, and win32 error code. You don't need to get frustrated, try random username combinations, nor waste time guessing at problems that may not exist. It's a server, so you just need to read log files to determine what is wrong and then directly fix it. Your scenario pretty much works by default by using default configuration, set NTFS ACLs on the resources to lockdown to only allow access to the necessary users, and then configure IIS to require Authentication of some sort. The rest of the password prompt, etc will automatically happen when necessary. -- //David IIS http://blogs.msdn.com/David.Wang This posting is provided "AS IS" with no warranties, and confers no rights. // [quoted text, click to view] "Gregg Hill" <bogus@nowhere.com> wrote in message news:%23TspXw%23IGHA.1088@tk2msftngp13.phx.gbl... > David, > > Thank you for your response. > > I went into Windows Explorer and set the NTFS permissions on the > support.exe file (under wwwroot) with Administrators and System set to > Full Control, and the particular client user name to Read. > > I then looked at the Default Web Site using IIS Manager, and set Execute > Permissions to None (it was on Scripts only). I disabled anonymous access > on the support.exe file using IIS Manager. > > My original problem was trying to get it to prompt for name and password. > I succeeded in getting that far before, then applied your suggestions as > well. The behavior I got before and still get now is that I get the > prompt, but no matter how I enter the user name and password, it keeps > going back to the prompt. > > The server is not a domain controller, but is a stand-alone server. I > tried all of these combinations: > username and password > domain\username and password > computername\username and password > workgroupname\username and password > > Nothing works. I keep getting bounced back to the prompt. I have tried > this from three different computers at three different sites to eliminate > caching as a problem. > > Gregg Hill > > > > > > "David Wang [Msft]" <someone@online.microsoft.com> wrote in message > news:uDbIMB8IGHA.2912@tk2msftngp13.phx.gbl... >> This is standard procedure. >> >> Enable authentication protocol and disable anonymous access for >> support.exe >> >> Make sure "Scripts and Executables" is not enabled because you want >> support.exe to be downloaded, not executed. Better yet, set Execute >> Permissions to "None" so that it can only be downloaded. >> >> Set NTFS permission on support.exe to only allow Read access to the >> authenticated user that your Clients will authenticate with. >> >> >> I suspect that /support.exe was already cached prior to you changing NTFS >> permissions so it remained downloadable for a short period of time until >> the cache clears. >> >> -- >> //David >> IIS >> http://blogs.msdn.com/David.Wang >> This posting is provided "AS IS" with no warranties, and confers no >> rights. >> // >> >> "Gregg Hill" <bogus@nowhere.com> wrote in message >> news:eVLSmu7IGHA.528@TK2MSFTNGP12.phx.gbl... >>> Hello! >>> >>> I have my web site running on Windows Server 2003 Standard with IIS 6.0. >>> I have an executable file, support.exe, that I want to have accessible >>> to my clients, but not to anyone else. >>> >>> I would like it to be available via >>> http://www.mydomainname.com/support.exe so it is easy to download, but I >>> cannot get it to be restricted. Even if I set the NTFS permissions on >>> the file (in the wwwroot folder) to Deny for Everyone, it will still >>> download when I go to the web site. >>> >>> How can I make it so that only a certain user name can download or run >>> that file? >>> >>> All Googled out and brain dead! >>> >>> Gregg Hill >>> >> >> > >
David,
Thank you for the suggestions. I cleared the Event Viewer and web logs, then tried to get the file again. I get the password prompt, enter the user name "help" (without quotation marks) and password, then hit OK. It returns to the password prompt with "www.mydomainname.net\help" in the name box and if I enter the password again and hit OK, it goes back to the prompt again. I have verified the user name and password, and I have created several new users with which to test, all with the same result. The Event Viewer security log shows: Logon Failure: Reason: Unknown user name or bad password User Name: help Domain: www.mydomainname.net Logon Type: 3 Logon Process: NtLmSsp Authentication Package: NTLM Workstation Name: OFFICE Caller User Name: - Caller Domain: - Caller Logon ID: - Caller Process ID: - Transited Services: - Source Network Address: 70.x.x.x Source Port: 43548 For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp. The log under C:\WINDOWS\System32\LogFiles\W3SVC1 shows: 2006-02-03 01:05:12 192.168.0.11 GET /images/service_14-over.gif - 80 - 69.x.x.x Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+SV1;+.NET+CLR+1.1.4322;+.NET+CLR+2.0.50727) http://www.mydomainname.net/service.html 200 0 0 2006-02-03 01:05:12 192.168.0.11 GET /images/service_07-over.gif - 80 - 69.x.x.x Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+SV1;+.NET+CLR+1.1.4322;+.NET+CLR+2.0.50727) http://www.mydomainname.net/service.html 200 0 0 2006-02-03 01:07:39 192.168.0.11 GET /support.exe - 80 - 69.x.x.x Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+SV1;+.NET+CLR+1.1.4322;+.NET+CLR+2.0.50727) - 401 2 2148074254 2006-02-03 01:09:25 192.168.0.11 GET /support.exe - 80 - 69.x.x.x Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+SV1;+.NET+CLR+1.1.4322;+.NET+CLR+2.0.50727) - 401 1 0 2006-02-03 01:09:25 192.168.0.11 GET /support.exe - 80 - 69.x.x.x Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+SV1;+.NET+CLR+1.1.4322;+.NET+CLR+2.0.50727) - 401 1 2148074252 Entries from httperr.log are: 2006-02-03 01:07:20 69.x.x.x 43535 192.168.0.11 80 - - - - - Timer_ConnectionIdle - 2006-02-03 01:07:20 69.x.x.x 43534 192.168.0.11 80 - - - - - Timer_ConnectionIdle - 2006-02-03 01:11:35 69.x.x.x 43548 192.168.0.11 80 - - - - - Timer_ConnectionIdle - 2006-02-03 01:20:10 69.x.x.x 43608 192.168.0.11 80 - - - - - Timer_ConnectionIdle - When it fails to authenticate the third time, it comes up with this error: You are not authorized to view this page HTTP Error 401.1 - Unauthorized: Access is denied due to invalid credentials. Any idea why it keeps telling me the user name is unknown or password is bad? Gregg Hill [quoted text, click to view] "David Wang [Msft]" <someone@online.microsoft.com> wrote in message
news:Otxr1CNJGHA.344@TK2MSFTNGP11.phx.gbl... > http://blogs.msdn.com/david.wang/archive/2005/12/31/HOWTO_Basics_of_IIS6_Troubleshooting.aspx > > Please provide the IIS web logfile entries which correspond to your failed > attempts. In particular, the HTTP status code, substatus code, and win32 > error code. > > You don't need to get frustrated, try random username combinations, nor > waste time guessing at problems that may not exist. It's a server, so you > just need to read log files to determine what is wrong and then directly > fix it. > > Your scenario pretty much works by default by using default configuration, > set NTFS ACLs on the resources to lockdown to only allow access to the > necessary users, and then configure IIS to require Authentication of some > sort. The rest of the password prompt, etc will automatically happen when > necessary. > > -- > //David > IIS > http://blogs.msdn.com/David.Wang > This posting is provided "AS IS" with no warranties, and confers no > rights. > // > > "Gregg Hill" <bogus@nowhere.com> wrote in message > news:%23TspXw%23IGHA.1088@tk2msftngp13.phx.gbl... >> David, >> >> Thank you for your response. >> >> I went into Windows Explorer and set the NTFS permissions on the >> support.exe file (under wwwroot) with Administrators and System set to >> Full Control, and the particular client user name to Read. >> >> I then looked at the Default Web Site using IIS Manager, and set Execute >> Permissions to None (it was on Scripts only). I disabled anonymous access >> on the support.exe file using IIS Manager. >> >> My original problem was trying to get it to prompt for name and password. >> I succeeded in getting that far before, then applied your suggestions as >> well. The behavior I got before and still get now is that I get the >> prompt, but no matter how I enter the user name and password, it keeps >> going back to the prompt. >> >> The server is not a domain controller, but is a stand-alone server. I >> tried all of these combinations: >> username and password >> domain\username and password >> computername\username and password >> workgroupname\username and password >> >> Nothing works. I keep getting bounced back to the prompt. I have tried >> this from three different computers at three different sites to eliminate >> caching as a problem. >> >> Gregg Hill >> >> >> >> >> >> "David Wang [Msft]" <someone@online.microsoft.com> wrote in message >> news:uDbIMB8IGHA.2912@tk2msftngp13.phx.gbl... >>> This is standard procedure. >>> >>> Enable authentication protocol and disable anonymous access for >>> support.exe >>> >>> Make sure "Scripts and Executables" is not enabled because you want >>> support.exe to be downloaded, not executed. Better yet, set Execute >>> Permissions to "None" so that it can only be downloaded. >>> >>> Set NTFS permission on support.exe to only allow Read access to the >>> authenticated user that your Clients will authenticate with. >>> >>> >>> I suspect that /support.exe was already cached prior to you changing >>> NTFS permissions so it remained downloadable for a short period of time >>> until the cache clears. >>> >>> -- >>> //David >>> IIS >>> http://blogs.msdn.com/David.Wang >>> This posting is provided "AS IS" with no warranties, and confers no >>> rights. >>> // >>> >>> "Gregg Hill" <bogus@nowhere.com> wrote in message >>> news:eVLSmu7IGHA.528@TK2MSFTNGP12.phx.gbl... >>>> Hello! >>>> >>>> I have my web site running on Windows Server 2003 Standard with IIS >>>> 6.0. I have an executable file, support.exe, that I want to have >>>> accessible to my clients, but not to anyone else. >>>> >>>> I would like it to be available via >>>> http://www.mydomainname.com/support.exe so it is easy to download, but >>>> I cannot get it to be restricted. Even if I set the NTFS permissions on >>>> the file (in the wwwroot folder) to Deny for Everyone, it will still >>>> download when I go to the web site. >>>>
David,
I moved the file to a new folder called "help" and I got it to work if I set authentication to Basic within IIS Manager for the Directory properties, but it fails if I have it set to Integrated Windows Authentication. That is a good start, I guess! Gregg Hill [quoted text, click to view] "David Wang [Msft]" <someone@online.microsoft.com> wrote in message news:Otxr1CNJGHA.344@TK2MSFTNGP11.phx.gbl... > http://blogs.msdn.com/david.wang/archive/2005/12/31/HOWTO_Basics_of_IIS6_Troubleshooting.aspx > > Please provide the IIS web logfile entries which correspond to your failed > attempts. In particular, the HTTP status code, substatus code, and win32 > error code. > > You don't need to get frustrated, try random username combinations, nor > waste time guessing at problems that may not exist. It's a server, so you > just need to read log files to determine what is wrong and then directly > fix it. > > Your scenario pretty much works by default by using default configuration, > set NTFS ACLs on the resources to lockdown to only allow access to the > necessary users, and then configure IIS to require Authentication of some > sort. The rest of the password prompt, etc will automatically happen when > necessary. > > -- > //David > IIS > http://blogs.msdn.com/David.Wang > This posting is provided "AS IS" with no warranties, and confers no > rights. > // > > "Gregg Hill" <bogus@nowhere.com> wrote in message > news:%23TspXw%23IGHA.1088@tk2msftngp13.phx.gbl... >> David, >> >> Thank you for your response. >> >> I went into Windows Explorer and set the NTFS permissions on the >> support.exe file (under wwwroot) with Administrators and System set to >> Full Control, and the particular client user name to Read. >> >> I then looked at the Default Web Site using IIS Manager, and set Execute >> Permissions to None (it was on Scripts only). I disabled anonymous access >> on the support.exe file using IIS Manager. >> >> My original problem was trying to get it to prompt for name and password. >> I succeeded in getting that far before, then applied your suggestions as >> well. The behavior I got before and still get now is that I get the >> prompt, but no matter how I enter the user name and password, it keeps >> going back to the prompt. >> >> The server is not a domain controller, but is a stand-alone server. I >> tried all of these combinations: >> username and password >> domain\username and password >> computername\username and password >> workgroupname\username and password >> >> Nothing works. I keep getting bounced back to the prompt. I have tried >> this from three different computers at three different sites to eliminate >> caching as a problem. >> >> Gregg Hill >> >> >> >> >> >> "David Wang [Msft]" <someone@online.microsoft.com> wrote in message >> news:uDbIMB8IGHA.2912@tk2msftngp13.phx.gbl... >>> This is standard procedure. >>> >>> Enable authentication protocol and disable anonymous access for >>> support.exe >>> >>> Make sure "Scripts and Executables" is not enabled because you want >>> support.exe to be downloaded, not executed. Better yet, set Execute >>> Permissions to "None" so that it can only be downloaded. >>> >>> Set NTFS permission on support.exe to only allow Read access to the >>> authenticated user that your Clients will authenticate with. >>> >>> >>> I suspect that /support.exe was already cached prior to you changing >>> NTFS permissions so it remained downloadable for a short period of time >>> until the cache clears. >>> >>> -- >>> //David >>> IIS >>> http://blogs.msdn.com/David.Wang >>> This posting is provided "AS IS" with no warranties, and confers no >>> rights. >>> // >>> >>> "Gregg Hill" <bogus@nowhere.com> wrote in message >>> news:eVLSmu7IGHA.528@TK2MSFTNGP12.phx.gbl... >>>> Hello! >>>> >>>> I have my web site running on Windows Server 2003 Standard with IIS >>>> 6.0. I have an executable file, support.exe, that I want to have >>>> accessible to my clients, but not to anyone else. >>>> >>>> I would like it to be available via >>>> http://www.mydomainname.com/support.exe so it is easy to download, but >>>> I cannot get it to be restricted. Even if I set the NTFS permissions on >>>> the file (in the wwwroot folder) to Deny for Everyone, it will still >>>> download when I go to the web site. >>>> >>>> How can I make it so that only a certain user name can download or run >>>> that file? >>>> >>>> All Googled out and brain dead! >>>> >>>> Gregg Hill >>>> >>> >>> >> >> > >
Don't see what you're looking for? Try a search.
|
June 2003
July 2003
August 2003
September 2003
October 2003
November 2003
December 2003
January 2004
February 2004
March 2004
April 2004
May 2004
June 2004
July 2004
August 2004
September 2004
October 2004
November 2004
December 2004
January 2005
February 2005
March 2005
April 2005
May 2005
June 2005
July 2005
August 2005
September 2005
October 2005
November 2005
December 2005
January 2006
February 2006
March 2006
April 2006
May 2006
June 2006
July 2006
August 2006
September 2006
October 2006
November 2006
December 2006
January 2007
February 2007
March 2007
April 2007
May 2007
June 2007
July 2007
August 2007
September 2007
October 2007
November 2007
December 2007
January 2008
February 2008
March 2008
April 2008
May 2008
June 2008
| home · blog · groups | Questions? Comments? Contact the dn |