The IIS Permissions Wizard Template Maker is designed to assist in the creation of new permissions templates for use with Microsoft's Internet Information Services (IIS), version 5.0 and greater.
The Permissions Wizard takes a scenario-driven approach in setting up Web and FTP permissions, NTFS access permissions, and authentication schemes. Rather than setting each area with a separate user interface, you select the scenario that most closely resembles your site's needs and the wizard sets all of the access permissions and authentication schemes for you.
One of the great advantages of this is that the wizard will ensure that Web (or FTP) and NTFS permissions are properly coordinated and that the correct authentication scheme is used. All of the settings can later be changed in the IIS snap-in.
Public Web Site - This is the most common configuration, in which the information on the site is intended for public consumption over the Internet. It uses anonymous authentication and allows users to view all files and access Active Server Pages applications on your Web server. It also gives administrators complete control over the site.
Secure Web Site - This configuration is used for corporate extranets, which are intranets accessed over the Internet. Information on the site is intended for restricted consumption. It uses Basic, Digest, or integrated Windows authentication. It allows only authorized users to view all files and access Active Server Pages applications on your Web server. It also gives administrators complete control over the site.
Permissions Templates are a collection of Access Control permissions, Authentication Methods, and IP Address Restrictions properties that can be applied to an internet site. Templates make it easy to change the security configuration of a site without editing individual properties.
Permissions Templates are stored in the metabase with other IIS settings. They are stored by service under the appropriate section of the metabase for the FTP or Web service.
All settings are the same properties that are stored for a web or FTP site.
The Directory Security property sheet sets access by a specific IP address, a block of IP addresses, or a domain name to block individuals or groups from gaining access to your server.
You can control access to each Internet service by specifying the IP address, subnet mask, or domain name of the computer or computers to be granted or denied access. If you choose to grant access to all users by default, you can then specify the computers to be denied access.
For example, if you discover that a particular user on the Internet is trying to download restricted files from your FTP server, you can prevent the computer at that IP address from connecting to your site. Conversely, if you choose to deny access to all users by default, you can then specify which computers are allowed access.
Granted Access
Select this button, then click Add to list computers that will be denied access.
Denied Access
Select this button, then click Add to list computers that will be granted access.
Modifying Restrictions
To add computers that you want to deny access to, select the Granted Access button and click Add. Conversely, to add computers that you want to grant access to, select the Denied Access button, and click Add.
To remove restrictions, highlight the desired restriction and click the delete button.
To remove all restrictions click the remove all button.
The edit button will allow you to modify a previously configured restriction.
Notes
You can configure Security properties at the Site and virtual directory level.
Computers accessing your server across proxy servers will appear to have the IP address of the proxy server.
Access permissions determine the type of access allowed to a directory. If the directory is on a Windows File System (NTFS) drive, the NTFS settings for the directory must match these settings. If the settings do not match, the most restrictive settings take effect.
For example, if you give a directory Write permission in this property sheet but give a particular user group only Read access permissions in NTFS, those users cannot write files to the directory because the Read permission is more restrictive.
Read
Enables clients to read or download files stored in a home directory or a virtual directory. If a client sends a request for a file that is in a directory without Read permission, the FTP server returns an error. This permission must be selected for FTP directories.
Write
Enables clients to upload files to the enabled directory on your server. Select this permission only for directories that are intended to accept files from users.
To prevent unauthorized users from establishing an FTP connection to restricted areas, you can configure your server to verify the identify of, or authenticate, users.
Allow Anonymous Connections
Select the Allow Anonymous Connections check box to allow users using the username "anonymous" to log on to your FTP server. By default, Internet Information Services creates and uses the account IUSR_MACHINE for all anonymous logons. Note that the password is used only within Windows; anonymous users do not log on using this user name and password. Typically, anonymous FTP users will use "anonymous" as the user name and their e-mail address as the password. The FTP service then uses the IUSR_MACHINE account as the logon account for permissions.
When you installed Internet Information Services, Setup created the account IUSR_MACHINE in the Windows User Manager and in IIS snap-in. This account was assigned a random password for both in the IIS snap-in and in the Windows User Manager. If you change the password, you must change it in both places and make sure it matches.
Note - The IUSR_MACHINE is granted Log on locally user rights by default. This right is necessary if you want to grant anonymous logon access to your site. To grant access only to specific users, you must grant those users Log on locally rights in User Manager.
Allow Only Anonymous Connections
Select this check box to allow only anonymous connections. With this box selected, users cannot log on with user names and passwords. This option prevents access by using an account with administrative permission; only the account specified for anonymous access is granted access.
Access permissions govern what users can do when they connect to your site. If your site is on a Windows File System (NTFS) drive, the NTFS settings for the directory must match these settings; if they do not, the most restrictive settings are enforced.
Read
Enables Web clients to read or download files or directories, and their associated properties. Generally, you should give Read permission only to directories containing information to publish (HTML files, for example). You should disable Read permission for directories containing Common Gateway Interface (CGI) applications and Internet Server Application Program Interface (ISAPI) DLLs to prevent clients from downloading the application files.
Write
Enables Web clients to upload files, and their associated properties, to the enabled directory on your server, or to change content in a Write-enabled file. Write can only be done with a browser that supports the PUT feature of the HTTP 1.1 protocol standard.
Caution - If Write is used in conjunction with Scripts and Executables permissions a potentially dangerous situation is created. Web clients could upload and run executable files that may be undesirable.
Script
Enables applications mapped to a script engine to run in this directory without having Execute permission set. Use Script permission for directories that contain ASP scripts, Internet Database Connector (IDC) scripts, or other scripts. Script permission is safer than Execute permission because you can limit the applications that can be run in the directory.
Execute
Allows any application to run in this directory, including applications mapped to script engines and Windows NT binaries (.dll and .exe files).
Script Source Access
Allows access to source code if either Read or Write capabilities are set. Source code includes scripts in ASP applications. Script Source Access is only available if Read or Write is also selected.
To prevent unauthorized users from establishing a Web (HTTP) connection to restricted content, you can configure your Web server to verify the identify of, or authenticate, users. The authentication process involves determining whether a user has a valid Windows user account with appropriate Windows File System (NTFS) permissions for accessing a particular Web site, directory, or file.
Anonymous Access
Typically, users attempting to establish a Web (HTTP) connection with your Web server should log on as anonymous users. When a user establishes an anonymous connection, your server will log on the user with an anonymous or guest account, which is a valid Windows user account. This account has security restrictions that limit the type of Web content that anonymous users can access.
Basic Authentication
Select this check box to enable your Web serverÆs Basic authentication method, which is a widely used, industry standard method for identifying users.
Your Web server will only use Basic authentication under the following conditions:
Anonymous access disabled.
Anonymous access denied because Windows file system permissions have been set, requiring the users to provide a Windows user name and password before establishing a connection with restricted content.
During the Basic authentication process, the userÆs Web browser will prompt the user to enter a valid Windows user account user name and password.
Important - Basic authentication results in the transmission of passwords across the network in an unencrypted form. A determined computer vandal equipped with a network monitoring tool could intercept user names and passwords.
Users attempting to establish a connection through Basic authentication must provide their logon domain in addition to their user name. By clicking this button you configure your Web server to assume a default logon domain, other than the local domain, for users who do not explicitly provide their domain name.
Digest Authentication
This method is new in IIS 5.0 and sends a hash value over the network rather than the password. This method works across proxy servers and other firewalls. Microsoft Internet Explorer, version 5.0 or later, is the only Web browser that currently supports this authentication method. This option is only available for servers on a domain with a Windows 2000 domain controller. The domain controller (DC) must have a clear text copy of all passwords used in Digest authentication.
Integrated Windows Authentication
During the integrated Windows authentication process, your Web server engages in a cryptographic information exchange with the userÆs Internet Explorer Web browser. The userÆs Web browser does not send actual Windows user account password information across the network. Microsoft Internet Explorer, version 2.0 or later, is the only Web browser that currently supports this authentication method.
Once enabled, your Web server will only use integrated Windows authentication under the following conditions:
Anonymous access disabled.
Anonymous access denied because Windows file system permissions have been set, requiring the users to provide a Windows user name and password before establishing a connection with restricted content.
