I've set up a site in IIS and even though the permissions on the folder are correct I still get "500.19 Cannot read configuration file due to insufficient permissions". To make it simple I've set full control (it's only for local use) instead of the "correct" permissions and they are set for authenticated users, system, my user account, administrators, iis_iusrs and my app pool. I've got these exact same permissions set on another computer and browsing the site works like charm on that one.
If I choose to runt the app pool as LocalSystem instead of ApplicationPoolIdentity the site load but without any of the static content (images, css, scripts, etc.).
Any idea what might be wrong here? Seems like a lot of people out there are having the exact same problem but no matter how much I search and read up on it there is no solution to be found.
These problems can be tough to answer because so many different things could cause this. Many times more than one thing is wrong. However, there might be a simple solution.
If switching the app pool to LocalSystem works, that is a start. Regarding the subsequent problem, I would suggest checking the links in the webpage to be sure they are pointing to valid locations on the server. If so, and you are still having trouble, please reply with the version of IIS that you are using and the authentication method used for the site.
Tom answered this question in his comment above but I don't know how to mark a comment as a solution. This is what he wrote:
"It sounds like your static content files might not have inherited the permissions you've set on the parent folder. To blanket set the permissions on all files and folders, go to the folder properties of the parent folder, click the security tab and select advanced, check the Replace all child object permission entries with inheritable permission entries from this object then click Apply."
Related
Somehow somebody is hacking our global.asa file (IIS 7.5). We do not use our global.asa file for anything, but when somebody inserts code into it, it of course used.
Initially, we didn't even have a global.asa file on the site until somebody pushed it there.
While we're reviewing permissions, firewall, all other security measures, is there any quick way we can totally stop IIS from looking for the file?
Yes, our site is traditional ASP.
Thanks!
You could try adding an empty global.asa and set the permissions to be very restricted, so basically only 'read' access to IIS_USR account
The problem
We're running IIS on Windows 8.1 with Update. We're at the Orchard CMS first time setup screen, and IIS is giving 401s for all static content. We have read the following to no avail:
IIS 7.5 no images css js showing
IIS 7.5 no images css js showing
The official Orchard deployment documentation
Based on those, this is what I have tried that doesn't work.
Turn on the IIS feature to Serve Static Content.
Give IIS_IUSRS permission to Read, write & execute.
Give the site's application pool permission to Read, write & execute.
What does work though is the nuclear option: to give Everyone the Read permission (unless we want to proceed with the Orchard setup; then we need to give Everyone even more permissions.) That leads me to believe that I must give permission to some principle with less scope than Everyone but more scope than both IIS_IUSRS and the application pool combined.
Who/what is that principle?
Pictures to show the problem
We receive a 401 on ..\Themes\SafeMode\Styles\site.css
The task manager confirms that the site is running as the orchard user.
The security properties of the ..\Themes\SafeMode\Styles\ directory gives Read permission to orchard.
Why does it only work when we give Read permission to Everyone?
I had a similar problem. Under authentication, I right clicked "Anonymous Authentication" and clicked "Edit". That shows a dialog giving you the ability to set the identity of the anonymous user. I set it to "Application pool identity" and that fixed the problem for me.
.
This may not be the most secure configuration though, but I'm on a dev server so I don't care.
Try turn on the Static Content and Directory Browsing features under Internet Information Services->World Wide Web Services->Common HTTP Features node.
In my case I had to set Read permission for IUSR user for the web site folder.
So, what I had to do to fix this problem was the following:
(and please understand, that this is not ASP or PHP script related, the server wouldn't even show basic simple .html files, yet would serve out PHP results all day long!)
Two fold…
Had to set the application pool for each site, under advanced settings, to use LocalSystem for it’s process
Under site, advanced settings, security, add the IUSR account to have read & list contents access, for the site… :-)
See any problems with doing that?
'cuz it's working....
Updating windows feature for WWW services/Common Http Features/static content by selecting Static Content checkbox fixed my IIS not service static content issue.
Open IIS -> go to advanced settings of selected website and open Physical Path Credentials -> Select specific user and enter your local user credentials. Open below screenshot for further visualising the things:
IIS Settings
I'm relatively new to dotnetnuke and am trying to set up a simple site which will have multiple user groups with their own set of files and then another user that has access to all files.
I'm currently playing with doing this with the "documents" module and hiding the module from all but the everything user and the specific company user. This works fine but the security seems to be just security by obscurity.
If I log in as User A and get access to file A and copy its url. I then log out and log in as user B who can't see that file. If I then put the file url into the browser it seems to download fine.
Can anybody tell me if I am doign something wrong or is there no actual user based security on file downloads? I've tried goign to the actual file manager and making the directories explicitly not viewable to user B (they are secure directories too) but still it persists. Am I missing a permissions option at the file level somewhere or is the security designed to just prevent you finding the right links to the files? I'll admit the links aren't guessable (no sequential ids in the url or anything silly like that) but I'm still a little uncomfortable with the security working like this...
DNN FileManager Module
Hi Chris,
Please check out the FileManager module per above link. You are correct that the current FileManager module does not allow access per user roles. You might check Snowcovered for possible substitutes?
It seems that I was doing something wrong. I was referencing a different version of the file which didn't have any permissions attached to it. It seems also that I don't need to have multiple documents modules since if a file doesn't have read permission it will just be hidden in the list.
So to summarise the DNN Documents module will do role based security to prevent unauthorised users from downloading the file and from seeing it in the documents view.
Documents module provides security for LinkClick.aspx urls that are routed to ASP.NET.
If the actual files reside in the file system under the site's root folder, direct urls to these files are served and secured by IIS.
To prevent unauthorized access to direct urls you can disable anonymous authentication and set up Basic authentication with NTFS permissions, for example.
If don't want to touch IIS and administer Windows accounts, you can't store the files directly under any publicly available IIS folder. Security at the ASP.NET application-level is implemented using file encryption or storing the files outside the public IIS folders, like in the database. DNN File Manager offers both of these options: secure folders in the file system and secure folders in the database.
There are also 3rd party modules to manage file security and sharing, like NukeTransfer.
In our Sharepoint implementation users have been granted site collection admin rights. On a few occasions they've managed to delete a subsite or even the entire site collection. I'd like to be able to block this but not being a developer I'm finding it pretty tricky.
I've had a look at the MSIT site delete capture tool to try to understand how that's working and it seams fairly straight forward. I want to override the delete function and either block it entirely or have the user type a password. What I can't see is any way to fully override the default behavior as it looks like the MSIT tool simply adds some functionality (backs up the site) then falls back into the default behavior.
So my question is, can I prevent the default behavior or can I only add actions before or after it fires?
Thanks in advance
Change the user permissions may be the best way to go. site collection admin is a crazy level of access for normal users.
Two answers:
You cannot prevent site deletes without either coding up something yourself, or buying a product to help you with "site lifecycle management" or "site governance" or some other vague term they use to describe this sort of thing.
The Site Delete Capture Tool may be good enough for you. It doesn't prevent any kind of deletions, but it does take a crude backup that (hopefully) allows you to restore anything they delete. We're using this tool in production and it works.
You could try to edit the site settings aspx file and comment out the delete site link, don't have a setup around to try that. While users could delete the site in other ways it would prevent the most common method.
Other option for important sites would be to make sure the site has a sub-site, if one does not already exist create one and don't user any access. The site would not be seen by the users and it would prevent them from deleting the parent site.
As for programming, in the before behavior you can return a false to stop the action. Just be sure to place a work around so you can delete a site.
A Site Collection administrator has the permission to delete sites and it should stay that way. We have modified MSIT to do additional stuff
The best way to limit user privileges is to put users in the right SharePoint group (ie) Owners, Members, Visitors or you could create a new group with right permission/permission levels.
Not quite sure how to troubleshoot this. I'm maintaining an ASP site, its mostly static, but there's this one include page which brings the menu.
Just recently I replaced some images, but now when I try the site, I get a prompt for a password as if It were looking for something on the local network!
I checked, all image paths are written up correctly, all images are unblocked (a W2k3 safety feature) and all images are set to allow-all on all users ... yet still, I get a password prompt!
Here's a sample page where it happens: http://www.iossolution.com/company/aboutus.asp (Windows only, it seems)
Thanks.
/mp
mauriciopastrana,
Check that the appropriate user has permission on the files in the windows file system. For W2K3 and IIS6 I think that user is typically NETWORK SERVICE.
Also check that the images directory has the intended authentication setup in IIS. You'll likely want to have the "enable anonymous access" checkbox checked and the "Integrated Windows Auth" box checked. You might also need to make sure that the IUSR_SERVERNAME user has access to the images.
Good luck!