We are using a dedicated hosting provider to host several of our public websites. There are two development teams/divisions within our company who each maintain public websites on these same servers. Is there a way through ACLs or some sort of rights management (e.g. individual logins) that I would only be able to see and maintain only my public sites and the other development team could only see and maintain their sites?
Thanks!
Chris
Sure - File ACLS is probably the way to go, if you've got access to the server.
You can set up a directory called Site1 and ACL Change rights to a local Group "LG-Site1" with the appropriate users, and directory Site2 with change rights for group "LG-Site2".
You do state that you want to only see your site, not the other site - the challenge with this is that if you are logging in to the server, you probably have admin rights, or at least rights up to the point where anything you do to lock yourself out of the Site2 directory can be reversed - either by temporarily granting your self rights or adding your self to LG-Site2. Not necessarily a show stopper, but certainly a consideration.
You can also set up FTP so that each dev team can publish to their directory, but not get in to the other.
Related
I have an IIS-hosted website that has 11 web services each running under their own virtual application. For each, the underlying folder is a child of the hosting site's folder. All have existed for a year or more, but web service A may never have been actually tested when deployed, the others have been actively used.
We've recently decided to use Service A, made code changes and deployed. Attempting to reach the service throws a 401.3 authorization error:
You do not have permission to view this directory or page.
I've compared virtually everything I can find in IIS (App Pool settings, ASP.NET, IIS and Management Features, etc.) about Service A and it's peers with nothing seeming different.
Once I added IUSR to Service A's permissions, it responded normally. However, none of the other services have this account among their permissions, yet work fine.
Can someone shed a light on why a single virtual app that very closely mirrors ten others would need IUSR specifically listed among granted users?
The IUSR is used by the anonymous authentication. If you have enabled anonymous auth in the ServiceA, that contents is accessed by IUSR. Is the authentication setting different from ServiceA and other websites.
I've got a little server plugging along, with IIS and some other stuff. Is it possible to allow a second user access to the IIS Manager, with the ability to create and edit sites, but keep the two accounts' sites separate?
I'm not worried about security between the two accounts, just separating the two account's sites for neatness and so that one user doesn't accidentally change something tied to the other account. At the moment I have two users part of the administrators group, and if I open IIS Manager with either one they both show all the sites.
A similar question has already been asked: how to create hidden web site on IIS
Can you please expand the answer of that thread?
Update 1
Connecting to sites remotely would allow the other sites to appear hidden as you would only see the connecting site. See: How to use Internet Information Services (IIS) 7 Manager to connect remotely to your website.
Update 0
As for hiding sites and other features, check out: What is administration.config for IIS?
One little known feature of IIS7 is that it's UI is entirely extensible! This means that anyone can write a C# assembly and get it displayed through the IIS Manager UI. The possibilities here are endless, anything from someone writing a new certificate management system, a website provisioning system, etc.
I haven't found documentation stating that the actual sites can be hidden but it sounds like it should be possible.
An Overview of Feature Delegation in IIS 7.0 may also provide the ability to hide sites.
Other links:
How do I hide 'non-delegated' features in IIS 7?
Based on your description, Microsoft's documentation on Configuring Permissions for IIS Manager Users and Windows Users (IIS 7) might prove helpful. For instance:
Allow an IIS Manager User Account to Connect to a Site or an Application (IIS 7)
Note: For IIS Manager users to connect to sites and applications for which you grant permission, you must configure the management service to accept connections from users who have IIS Manager credentials. For more information about how to configure the management service, see Configuring the Management Service in IIS 7.
Configuring Permissions for IIS Manager Users and Windows Users (IIS 7) - Emphasis added.
Use the IIS Manager Permissions feature to allow users to connect to sites and applications in IIS Manager. Remove a user account when you no longer want the user to configure delegated features in a site or an application.
Permitted users can configure delegated features in any sites or applications for which you grant them permission. Users can be either IIS Manager users, which are credentials created in IIS Manager by using the IIS Manager Users feature, or Windows users and groups on the local computer or on the domain to which the computer belongs.
I am trying to have my local website within dropbox using IIS. When I add the dropbox directory I get the error: The server is configured to use pass-through authentication with a built-in account to access the specified physical path. However, IIS Manager cannot verify whether the built-in account has access. Make sure that the application pool identity has Read access to the physical path. If this server is joined to a domain, and the application pool identity is NetworkService or LocalSystem, verify that \$ has Read access to the physical path.
I am admin and have allowed all access to the dropbox folder. What is wrong?
You should add IIS user account to the list of users who are allowed to view/read the files. IIS usually runs via separate user account for security reasons.
This is done the following way:
Right-click on your site folder in Dropbox
Select "Security"
Click "Add"
Find IUSR user and/or IIS_IUSRS group
Add them both (or one, if only one is present) and assign them read permissions
Try adding your site folder again.
This should fix the issue.
I am learning how to setup a shared hosting web server.
As a server administrator whose the highest access level in the server, I want to grant my friends as site administrators access to their own sites.
The question is:
What is the best way to setup their accounts and what level of access should be granted to them?
Edit 1:
I want them to have remote access to their own resources using IIS Manager. By this way, I can mimic a real shared-hosting server.
You can install a FTP server. And assign the permission to access a folder for a user with user name and password.
Use the delegated administration on IIS.
I have a webservice running under sharepoint, on a bog-standard Server2003/IIS6 setup. This webservice needs to open and read a file from a share on another machine in the same domain. At the moment I am getting a
System.UnauthorizedAccessException: Access to the path '\strand\DROPBOXES\MattTrinder\SharepointShared\bd116dfa-be0e-4c58-93e6-3fb93fa0ef22.tmp' is denied.
at System.IO.__Error.WinIOError(Int32 errorCode, String maybeFullPath)
What permissions do I need to grant to which accounts to allow this webservice to open and read the file ?
Using "\\sharepointserver\c$" works fine...
Thanks
Matt
The account you grant access to, has to exist on the target (where the share exists) as well (either the same domain account, or a local account with the same password). Since the IIS-user normally has an auto-generated password and is local, this is hard.
The way we solve this, is to run the website as a different user (that we created ourselves), and grant this user permissions to access the share on the remote PC. Note that both the sharing permissions have to be correct, and the file system permissions.
You need to grant read access in the file system level and in the share. The problem is that sharepoint runs (probably, because it can be changed) under network service account that has no access to the network.
options:
If you are using integrated authentication for the web service. Then you have to grant the permissions to the users that the web service client runs under. But don't go this dark path. Because delegation is very hard to configure.
If you have anonymous access to the web service, make sure that the application pool that the web service runs under run with user permission of explicit user that have access to that said file. This can be configured with the sharepoint administration site. Or with computer management mmc.
Classic asmx web services by default run as the IUSR_ account. This may not have permission to access the network path. You can change this to a domain account by changing the application pool identity.