Hi,
There are two "things" you need to be aware of:
a) authentication <- user needs to type in a valid Windows username/password
(anyone who types in something else does not get access)
-and-
b) authorisation <- user credentials supplied in (a) need to have permission
to perform the requested action (eg read a webpage).
So, if you just disable "Allow Anonymous Authentication", and enable Basic
or IWA, then anyone with a valid Windows account can still view the pages by
entering a valid windows username/password (on IIS 4 and IIS 5) because the
Everyone Windows group has Read (RX) NTFS permissions to all files in the
website (by default).
To prevent this, you need to adjust the NTFS permissions on the files in
question so that only users that you wish to allow access can read the
files.
For more info, grab the same chapter of my IIS 6.0 security book - there's a
link on my homepage:
www.adopenstatic.com
Cheers
Ken
"Cliff" <newsgroup1.RemoveThis@NOSPAM.wiebe.ws> wrote in message
news:Xns950DE5FDACCFEnewsgroup1wiebews@207.46.248.16...
: Eventually I'd like to be able to authenticate a list of users/passwords,
: but I'll start with a single person.
:
: I'm tried basic authentication and IWA, and the login window pops up with
: both options. However, regardless of which authentication I try the user
: can type anything in the login box and they are given access.
:
: Any suggestions here please?
: Thanks in advance.
: Cliff
FAQ
Profile
Private Messages
Log in
