Access Control in IIS 6.0

Applies To: Windows Server 2003, Windows Server 2003 with SP1

You can control which users and computers can access your Web server and its resources. There are two main types of access control: NTFS permissions, which are controlled by the operating system, and Web site permissions, which are controlled by IIS. You can also use IP address restrictions to limit access by specific computers. To help secure your Web server, you should use a defense-in-depth strategy that combines suitable authentication methods with tools such as firewalls and the appropriate NTFS permissions and Web site permissions. IIS built-in accounts and features, such as URL authorization, help you control access to resources on multiple levels, from entire Web and FTP sites to individual files or specific URLs.

  • Securing your files with NTFS. When you use the NTFS file system, you can limit access to your Web server's files and directories. You can configure the file and directory permissions that set the access level assigned to a particular user account or user group. For example, you can configure your Web server to enable a specific user to view and execute a file, while excluding all other users from accessing that file.

  • Securing your site with Web site permissions. Web permissions, unlike NTFS permissions, apply to all users accessing your Web sites. NTFS permissions apply only to a specific user or group of users with a valid Windows account. NTFS controls access to physical directories on your server, whereas Web permissions control access to virtual directories on your Web site.

  • Securing your site with IP address restrictions. With IP address restrictions, you can configure your Web server to assign or deny specific computers, groups of computers, or domains access to Web sites, directories, or files. For example, if your intranet server is connected to the Internet, you can prevent Internet users from accessing your Web server by assigning access only to members of your intranet, and explicitly denying access to outside users.

How Access Control Works

Access control involves both user rights and permissions. User rights are rights that allow a user to perform specific actions on a computer or network. Permissions are rules that are associated with an object, such as a file or folder, to regulate which accounts can gain access to that object. After you configure your Windows file system and Web server security features, when a user attempts to access your Web server, the server carries out several access-control processes to identify the user and determine the allowed level of access.

FigureĀ 5.4 shows how the access-control process works.

Art Image

The following steps outline the access-control process:

  1. The client requests a resource on the server.

  2. The IP address of the client is checked against any IP address restrictions in IIS. If the IP address is denied access, the request fails, and a 403 Access Forbidden message is returned to the user.

  3. The server, if configured to require it, requests authentication information from the client. The browser either prompts the user for a user name and password or offers this information automatically.

  4. IIS checks whether the user has a valid Windows user account. If the user does not, the request fails, and a 401 Access is denied message is returned to the user.

  5. IIS checks whether the user has Web permissions for the requested resource. If the user does not, then the request fails, and a 403 Access Forbidden message is returned to the user.

  6. Any security modules, such as ASP.NET impersonation, are added.

  7. IIS checks the NTFS permissions on static files, ASP, and Common CGI files for the resource. If the user does not have NTFS permissions for the resource, then the request fails, and a 401 Access is denied message is returned to the user.

  8. If the user has NTFS permissions, the request is fulfilled.