Home / server / Questions / 1026897
In Process
THE JOATMON
Asked: 2020-07-28 05:40:52 +0800 CST

Restrict IIS site with Windows Authentication folder permissions

  • 772

I created two IIS sites which both have Windows Authentication and Directory Browsing enabled.

For the first one, let's call it "admin", I set no special permissions. I navigated to the site and was prompted for credentials. I logged in with an administrator account on the machine and was able to browse the folder. Perfect.

For the second one, let's call it "test", I created a new Windows user and removed it from ALL groups including "Users". I created a new folder on the drive and gave this new user permissions to the folder. When I access this site via a browser and login with the new account, I am able to browse the folder as expected. However, I am also able to browse the "admin" site above with this new account. This is not expected, as the only users that have permissions to the folder on the drive are "CREATOR OWNER", "SYSTEM", "Administrators" and "Users". My new user is not a member of any of those groups.

Why is this happening? What is the proper way, with IIS, to secure a folder with a local account, but ensure that account has no access to other folders?

iis ntfs windows-server-2016

1 Answers

  1. Just because your second user is not a member of the Users group, it doesn't mean it is not a part of the Users group during runtime.

    Take my user Peter:

     net user peter

 Local Group Memberships      *Guests
 Global Group memberships     *None

    just a member of Guests, not Users.

    But when I ask for my security context during runtime:

     whoami /groups
 
 Group Name                             Type             SID          
 ====================================== ================ ============ 
 Everyone                               Well-known group S-1-1-0      
 BUILTIN\Guests                         Alias            S-1-5-32-546 
 BUILTIN\Performance Log Users          Alias            S-1-5-32-559 
 BUILTIN\Users                          Alias            S-1-5-32-545 
 NT AUTHORITY\INTERACTIVE               Well-known group S-1-5-4      
 CONSOLE LOGON                          Well-known group S-1-2-1      
 NT AUTHORITY\Authenticated Users       Well-known group S-1-5-11     
 NT AUTHORITY\This Organization         Well-known group S-1-5-15     
 NT AUTHORITY\Local account             Well-known group S-1-5-113    
 LOCAL                                  Well-known group S-1-2-0      
 NT AUTHORITY\NTLM Authentication       Well-known group S-1-5-64-10

    We can see that I am in Users as well as in a whole bunch of other special groups.

    To limit files to certain users, you have to remove the permissions for the Users group.

    • 0