|
|
You're in the
iis security
group:File permissions vary based on access method problem
iis security:
and I have run into an odd problem. I have a directory which is full of documents that need to be accessed via a central website, both internally from the office, and externally from home. The data sits on the server (Windows 2003 SBS) at C:\Data\Platform. This directory is shared on the office intranet as H:, and a Virtual Directory (VD1) is setup on the website that points to this location as well. The virtual directory has NTFS access for Admins, Everyone, IIS_WPG, IWAM_MACHINE and IUSR_MACHINE. It also has Read, Write, and Directory Browse permissions from within IIS. C:\Data\Platform is marked as full control for Admins, Everyone, IIS_WPG, IWAM_MACHINE and IUSR_MACHINE. The share is set to read, write and modify for all. The file that is trying to be accessed (records.xls) is not marked as read only. If a user tries to access the file through the virtual directory (ie a http:// link to VD1/records.xls), the file opens in read only mode. If a user tries to access through the intranet (ie a file:// link to H:/records.xls) then the file is opened in write mode. Both anonymous and integrated windows access are enabled, with IP restrictions of 192.168.0.x and 127.0.0.1. But this issue occurs within the office as well, so that only files that are accessed through H: are openable for write mode. Something seems to be restricting it to read only mode through the use of the virtual directory. Most documents we only want to be read only, but some of them we do want to be able to write to (communal time sheets for instance). External write access is desired to allow the rest of the office to work more flexibly. All clients are latest patched versions of IE6. How do I make it so that the file is accessible for writing through the Virtual Directory?
Hi,
Via IIS you configure: 1) Enable Write permission on IIS mmc, VD properties 2) Using the PUT method over HTTP 1.1 Here is the IIS help about it Write Select to allow users to upload files and their associated properties to the enabled directory on your server or to change content in a Write-enabled file. Write access is allowed only with a browser that supports the PUT feature of the HTTP 1.1 protocol standard NOTE: In any way you never should let this VD be writeable from the external network, you may consider use a VPN connection to access H: directory instead of http:// form. Hope this help "Daniel Stratton" <Daniel Stratton@discussions.microsoft.com> wrote in message news:7E60E96C-27CD-46DE-A3AA-1AEBA056D1C1@microsoft.com... [quoted text, click to view] > I'm currently maintaining an intranet ASP based product for a small business, > and I have run into an odd problem. > > I have a directory which is full of documents that need to be accessed via a > central website, both internally from the office, and externally from home. > The data sits on the server (Windows 2003 SBS) at C:\Data\Platform. This > directory is shared on the office intranet as H:, and a Virtual Directory > (VD1) is setup on the website that points to this location as well. The > virtual directory has NTFS access for Admins, Everyone, IIS_WPG, IWAM_MACHINE > and IUSR_MACHINE. It also has Read, Write, and Directory Browse permissions > from within IIS. > > C:\Data\Platform is marked as full control for Admins, Everyone, IIS_WPG, > IWAM_MACHINE and IUSR_MACHINE. The share is set to read, write and modify > for all. The file that is trying to be accessed (records.xls) is not marked > as read only. > > If a user tries to access the file through the virtual directory (ie a > http:// link to VD1/records.xls), the file opens in read only mode. If a > user tries to access through the intranet (ie a file:// link to > H:/records.xls) then the file is opened in write mode. > > Both anonymous and integrated windows access are enabled, with IP > restrictions of 192.168.0.x and 127.0.0.1. But this issue occurs within the > office as well, so that only files that are accessed through H: are openable > for write mode. Something seems to be restricting it to read only mode > through the use of the virtual directory. > > Most documents we only want to be read only, but some of them we do want to > be able to write to (communal time sheets for instance). External write > access is desired to allow the rest of the office to work more flexibly. All > clients are latest patched versions of IE6. > > How do I make it so that the file is accessible for writing through the > Virtual Directory? > > Thanks in advance for any suggestions.
http://blogs.msdn.com/david.wang/archive/2005/08/20/Why_can_I_upload_a_file_without_IIS_Write_Permission.aspx
The issue is that "different access methods" have different security configurations. You do not have comparable configuration of security for each access method, hence behavior can appear different. You always need to be clear about: 1. What user identity is performing the action 2. Through what protocol is the action performed 3. Does the resource allow that user identity to perform that action through that protocol Things no longer "automagically" work on Windows anymore, especially from Windows Server 2003 onwards, because history has shown that when we make things "automagically work", hackers take advantage of it more than normal users stumbling around and running into that functionality. The result of the security lockdown is that users have to know more about what they are doing. Now, how users figure out what they are doing, I have no idea. ;-) When you access resources via H: or file://, it is treated as access through a UNC share as your user identity, which means that restrictive merge of ACLs on the UNC share and NTFS ACLs on the specific resource as well as your user identity govern access. When you access resources via http:// , it is treated as access through HTTP. By default, HTTP is a read-only protocol. "Writes" can happen only if you write and run custom code on top of HTTP, or you enable WebDAV. In all cases, the authentication protocol negotiated between the client and server determines the user identity making the read/write operation, and that user identity has to have NTFS ACLs on the resource to perform the read/write operation in addition to having the "logical" ability to make the "Write". In other words: - if you set the Read-Only attribute on a file and enable WebDAV write, you still cannot write to the file either through http:// or H: or file:// because the Read-Only attribute disallows all modifications. - if you do not enable WebDAV and have no other custom code which performs a logical HTTP write operation, then you cannot write via http:// while user credentials govern whether H: or file:// can write to the resource (assuming the resource allows modifications). -- //David IIS http://blogs.msdn.com/David.Wang This posting is provided "AS IS" with no warranties, and confers no rights. // "Daniel Stratton" <Daniel Stratton@discussions.microsoft.com> wrote in message news:7E60E96C-27CD-46DE-A3AA-1AEBA056D1C1@microsoft.com... [quoted text, click to view] > I'm currently maintaining an intranet ASP based product for a small > business, > and I have run into an odd problem. > > I have a directory which is full of documents that need to be accessed via > a > central website, both internally from the office, and externally from > home. > The data sits on the server (Windows 2003 SBS) at C:\Data\Platform. This > directory is shared on the office intranet as H:, and a Virtual Directory > (VD1) is setup on the website that points to this location as well. The > virtual directory has NTFS access for Admins, Everyone, IIS_WPG, > IWAM_MACHINE > and IUSR_MACHINE. It also has Read, Write, and Directory Browse > permissions > from within IIS. > > C:\Data\Platform is marked as full control for Admins, Everyone, IIS_WPG, > IWAM_MACHINE and IUSR_MACHINE. The share is set to read, write and modify > for all. The file that is trying to be accessed (records.xls) is not > marked > as read only. > > If a user tries to access the file through the virtual directory (ie a > http:// link to VD1/records.xls), the file opens in read only mode. If a > user tries to access through the intranet (ie a file:// link to > H:/records.xls) then the file is opened in write mode. > > Both anonymous and integrated windows access are enabled, with IP > restrictions of 192.168.0.x and 127.0.0.1. But this issue occurs within > the > office as well, so that only files that are accessed through H: are > openable > for write mode. Something seems to be restricting it to read only mode > through the use of the virtual directory. > > Most documents we only want to be read only, but some of them we do want > to > be able to write to (communal time sheets for instance). External write > access is desired to allow the rest of the office to work more flexibly. > All > clients are latest patched versions of IE6. > > How do I make it so that the file is accessible for writing through the > Virtual Directory? > > Thanks in advance for any suggestions.
Thanks Marcelo for the information, that's useful to know. I do have Write
permission on the IIS MMC for the VD, but I'm not following what you mean with the second part. What do you mean by using the PUT method over HTTP 1.1? All client browsers are expected to be IE6. Do you mean adding the PUT verb to Mappings for a partcular extension? If so, is it just for the .ASP file type that retrieves the file? Or do I have to add mappings for each possible document type? Thanks for your information, it's certainly given me much to think about. [quoted text, click to view] "Marcelo Villalón" wrote:
> Hi, > > Via IIS you configure: > 1) Enable Write permission on IIS mmc, VD properties > 2) Using the PUT method over HTTP 1.1 > > Here is the IIS help about it > > Write > > Select to allow users to upload files and their associated properties to the > enabled directory on your server or to change content in a Write-enabled > file. Write access is allowed only with a browser that supports the PUT > feature of the HTTP 1.1 protocol standard > > NOTE: In any way you never should let this VD be writeable from the external > network, you may consider use a VPN connection to access H: directory > instead of http:// form. > > Hope this help > > > > "Daniel Stratton" <Daniel Stratton@discussions.microsoft.com> wrote in > message news:7E60E96C-27CD-46DE-A3AA-1AEBA056D1C1@microsoft.com... > > I'm currently maintaining an intranet ASP based product for a small > business, > > and I have run into an odd problem. > > > > I have a directory which is full of documents that need to be accessed via > a > > central website, both internally from the office, and externally from > home. > > The data sits on the server (Windows 2003 SBS) at C:\Data\Platform. This > > directory is shared on the office intranet as H:, and a Virtual Directory > > (VD1) is setup on the website that points to this location as well. The > > virtual directory has NTFS access for Admins, Everyone, IIS_WPG, > IWAM_MACHINE > > and IUSR_MACHINE. It also has Read, Write, and Directory Browse > permissions > > from within IIS. > > > > C:\Data\Platform is marked as full control for Admins, Everyone, IIS_WPG, > > IWAM_MACHINE and IUSR_MACHINE. The share is set to read, write and modify > > for all. The file that is trying to be accessed (records.xls) is not > marked > > as read only. > > > > If a user tries to access the file through the virtual directory (ie a > > http:// link to VD1/records.xls), the file opens in read only mode. If a > > user tries to access through the intranet (ie a file:// link to > > H:/records.xls) then the file is opened in write mode. > > > > Both anonymous and integrated windows access are enabled, with IP > > restrictions of 192.168.0.x and 127.0.0.1. But this issue occurs within > the > > office as well, so that only files that are accessed through H: are > openable > > for write mode. Something seems to be restricting it to read only mode > > through the use of the virtual directory. > > > > Most documents we only want to be read only, but some of them we do want > to > > be able to write to (communal time sheets for instance). External write > > access is desired to allow the rest of the office to work more flexibly. > All > > clients are latest patched versions of IE6. > > > > How do I make it so that the file is accessible for writing through the > > Virtual Directory? > > > > Thanks in advance for any suggestions. > >
Thanks David for such a lengthy and informative post, it has certainly given
me a lot to think about. And I can certainly appreciate why such things aren't done out of the box these days, but it is troublesome to figure out for one's self :) I do have a few questions for you, if you have the chance to respond. - You mention WebDAV. A quick look at my test machine away from the office is only Windows XP Pro, and doesn't mention WebDAV at all in the Add/Remove components for IIS. Is this something only works on Server editions of XP? Some clients may not be running a true server, as they are a very small business. - Primarily, only a single user should be able to add files to the system. Can I lock down WebDAV so that only a single user does this? However, it may be required for multiple people to be able to write to existing files. Mostly, however, I want them all read only. My impression from your post is that this is possible? - In essence, I've been asked to develop something where there is a central list of files (but not necessarily browseable, things like XLS, DOC, PPT and so on), which are accessed through clickable browser links, and preferably avoiding a common mapped drive as people need to be able to access this from home. In most instances, it's read only, but in a select few, it would be with write permissions. Without WebDAV, the read part certainly works. Will using WebDAV allow this write capability? - If I enable WebDAV, will users be able to poke and prod into it via means other than the developed ASP site? Because that would not be a good thing, really. Thanks for your information already, it's certainly been an eye opener and looks to give me a few nights of heavy reading ahead of me :) Regards, Daniel Stratton [quoted text, click to view] "David Wang [Msft]" wrote:
> http://blogs.msdn.com/david.wang/archive/2005/08/20/Why_can_I_upload_a_file_without_IIS_Write_Permission.aspx > > The issue is that "different access methods" have different security > configurations. You do not have comparable configuration of security for > each access method, hence behavior can appear different. > > You always need to be clear about: > 1. What user identity is performing the action > 2. Through what protocol is the action performed > 3. Does the resource allow that user identity to perform that action through > that protocol > > Things no longer "automagically" work on Windows anymore, especially from > Windows Server 2003 onwards, because history has shown that when we make > things "automagically work", hackers take advantage of it more than normal > users stumbling around and running into that functionality. The result of > the security lockdown is that users have to know more about what they are > doing. Now, how users figure out what they are doing, I have no idea. ;-) > > > When you access resources via H: or file://, it is treated as access through > a UNC share as your user identity, which means that restrictive merge of > ACLs on the UNC share and NTFS ACLs on the specific resource as well as your > user identity govern access. > > When you access resources via http:// , it is treated as access through > HTTP. By default, HTTP is a read-only protocol. "Writes" can happen only if > you write and run custom code on top of HTTP, or you enable WebDAV. In all > cases, the authentication protocol negotiated between the client and server > determines the user identity making the read/write operation, and that user > identity has to have NTFS ACLs on the resource to perform the read/write > operation in addition to having the "logical" ability to make the "Write". > > In other words: > - if you set the Read-Only attribute on a file and enable WebDAV write, you > still cannot write to the file either through http:// or H: or file:// > because the Read-Only attribute disallows all modifications. > - if you do not enable WebDAV and have no other custom code which performs a > logical HTTP write operation, then you cannot write via http:// while user > credentials govern whether H: or file:// can write to the resource (assuming > the resource allows modifications). > > -- > //David > IIS > http://blogs.msdn.com/David.Wang > This posting is provided "AS IS" with no warranties, and confers no rights. > // > > "Daniel Stratton" <Daniel Stratton@discussions.microsoft.com> wrote in > message news:7E60E96C-27CD-46DE-A3AA-1AEBA056D1C1@microsoft.com... > > I'm currently maintaining an intranet ASP based product for a small > > business, > > and I have run into an odd problem. > > > > I have a directory which is full of documents that need to be accessed via > > a > > central website, both internally from the office, and externally from > > home. > > The data sits on the server (Windows 2003 SBS) at C:\Data\Platform. This > > directory is shared on the office intranet as H:, and a Virtual Directory > > (VD1) is setup on the website that points to this location as well. The > > virtual directory has NTFS access for Admins, Everyone, IIS_WPG, > > IWAM_MACHINE > > and IUSR_MACHINE. It also has Read, Write, and Directory Browse > > permissions > > from within IIS. > > > > C:\Data\Platform is marked as full control for Admins, Everyone, IIS_WPG, > > IWAM_MACHINE and IUSR_MACHINE. The share is set to read, write and modify > > for all. The file that is trying to be accessed (records.xls) is not > > marked > > as read only. > > > > If a user tries to access the file through the virtual directory (ie a > > http:// link to VD1/records.xls), the file opens in read only mode. If a > > user tries to access through the intranet (ie a file:// link to > > H:/records.xls) then the file is opened in write mode. > > > > Both anonymous and integrated windows access are enabled, with IP > > restrictions of 192.168.0.x and 127.0.0.1. But this issue occurs within > > the > > office as well, so that only files that are accessed through H: are > > openable > > for write mode. Something seems to be restricting it to read only mode > > through the use of the virtual directory. > > > > Most documents we only want to be read only, but some of them we do want > > to > > be able to write to (communal time sheets for instance). External write > > access is desired to allow the rest of the office to work more flexibly. > > All > > clients are latest patched versions of IE6. > > > > How do I make it so that the file is accessible for writing through the > > Virtual Directory? > > > > Thanks in advance for any suggestions. > >
Don't see what you're looking for? Try a search.
|
June 2003
July 2003
August 2003
September 2003
October 2003
November 2003
December 2003
January 2004
February 2004
March 2004
April 2004
May 2004
June 2004
July 2004
August 2004
September 2004
October 2004
November 2004
December 2004
January 2005
February 2005
March 2005
April 2005
May 2005
June 2005
July 2005
August 2005
September 2005
October 2005
November 2005
December 2005
January 2006
February 2006
March 2006
April 2006
May 2006
June 2006
July 2006
August 2006
September 2006
October 2006
November 2006
December 2006
January 2007
February 2007
March 2007
April 2007
May 2007
June 2007
July 2007
August 2007
September 2007
October 2007
November 2007
December 2007
January 2008
February 2008
March 2008
April 2008
May 2008
June 2008
| home · blog · groups | Questions? Comments? Contact the dn |