dslreports logo
 
    All Forums Hot Topics Gallery
spc
uniqs
4276

devicemanage
Premium Member
join:2002-03-16
Southampton, PA

devicemanage

Premium Member

iis7 and password protecting a web directory

I currently have have a security camera sending snap shots via ftp to a folder that I would like to make password protected to a single user on the web. I currently have it set up using basic authentication but can not lock down the directory so that only one users credentials will allow him access. No matter what I do, even deny domain users from the directory anyone with an account can gain access. Am I missing something here. Currently the directory just has the administrators group, creator and owner permissions. The ftp is using and account in the administrators group and is working perfectly I just don't want anyone logging in. Need to use the basic authentication because I need a cell phone that only supports that version of authentication. Thanks...

Robert
Premium Member
join:2001-08-25
Miami, FL

Robert

Premium Member

Have you tried with web.config?

»www.iis.net/ConfigRefere ··· rization

devicemanage
Premium Member
join:2002-03-16
Southampton, PA

devicemanage

Premium Member

No I haven't, I just thought there would be an easier way to manage it with some directory security like you would an ftp site?

Robert
Premium Member
join:2001-08-25
Miami, FL

Robert

Premium Member

Ahh. I wouldn't know as I don't use FTP on my IIS7 server. We use develop the website directly on the IIS7 server.

netboy34
Premium Member
join:2001-08-29
Kennesaw, GA

netboy34 to devicemanage

Premium Member

to devicemanage
»www.iistools.com/en/iisp ··· ord.html

iis password... used it on my iis6 server... it hasn't been updated in a while, but it might still work on IIS7 since it is 64bit compatible... its free for up to three users, so it might be worth a shot

mansplainer
join:2001-11-01
Charleston, SC

mansplainer to devicemanage

Member

to devicemanage
Sorry late reply here ... but what you are trying to do should work. What is getting logged for the requests by "non authorized" users?

devicemanage
Premium Member
join:2002-03-16
Southampton, PA

devicemanage

Premium Member

It states error 401 - Unauthorized: Access is denied to invalid credentials. Any help would be greatly appreciated.

cowboyro
Premium Member
join:2000-10-11
CT

cowboyro to devicemanage

Premium Member

to devicemanage
I am a bit confused about what you're trying to achieve.
Are you saying that you're setting permissions for FTP for one single user, but everyone in the domain is able to FTP? Or everyone in the domain is able to access the local folder where the files are dumped through the network? Or everyone in the domain is able to access the folder via HTTP?

devicemanage
Premium Member
join:2002-03-16
Southampton, PA

devicemanage

Premium Member

the directory is not shared but via ftp the camera can reach it to deposit pictures. That part is working. What I want is to be able to access the ftp directory via the web so that only one user can gain access. Currently all domain users can access the directory even though the security permissin do not specify doman users as being granted permission.

The ftp is locked down to the specified users. However via the web, anyone with a domain account can log in.

cowboyro
Premium Member
join:2000-10-11
CT

cowboyro to devicemanage

Premium Member

to devicemanage
I assume the basic auth module is already installed.
Edit directory properties in IIS. Remove anonymous access and enable basic auth.
In directory security remove all users except an admin (for future management), the account used for FTP and the account for web access.
That should do it. I tested and it worked... Play with a subdirectory just to be on the safe side until you make sure it works for you as intended.

Now the real question is why not make a very simple app that serves the image? You could control access via a web login form and use cookies for future access.

devicemanage
Premium Member
join:2002-03-16
Southampton, PA

devicemanage

Premium Member

On the directory in iis all I have enabled is basic authentication. In directory security all there is, is administrator, owner and system. Any domain user can log in, really weird...

cowboyro
Premium Member
join:2000-10-11
CT

cowboyro

Premium Member

Remove all but admin and the web user.

mansplainer
join:2001-11-01
Charleston, SC

mansplainer to devicemanage

Member

to devicemanage
That doesn't quite make sense, this is an error indicating the user doesn't have access but yet in your OP you say anyone can access. Also, this isn't from the IIS log file, and a 401 error will have a sub status code usually of a "1" (typically means a bad username or password was supplied) or a "3" (the user does not have NTFS permissions to the content requested).

Can you paste a snippet of your IIS log file that shows an access attempt? This will tell us the username that was granted access.

devicemanage
Premium Member
join:2002-03-16
Southampton, PA

devicemanage

Premium Member

Here is a snippet

2012-06-15 14:54:35 W3SVC3 VM-XXXX 192.168.100.10 GET /snap - 80 jacki ipaddress HTTP/1.1 Mozilla/4.0+(compatible;+MSIE+8.0;+Windows+NT+6.1;+WOW64;+Trident/4.0;+SLCC2;+.NET+CLR+2.0.50727;+.NET+CLR+3.5.30729;+.NET+CLR+3.0.30729;+PC+NAME+PC+6.0;+InfoPath.3;+.NET4.0C) - - www.domainname.com 301 0 0 379 566 133

The security tab just has the users administrators, system and creator. Another weird thing is the ftp side of this directory, users the iusr account to push images over but that account isnt in the list. I tried changing the ftp to use a specific account and when I hit apply it reverts back to the iusr account. Just thought I would throw that out there hehe Thanks for hanging in there with me guys!

mansplainer
join:2001-11-01
Charleston, SC

mansplainer

Member

looks like this is showing us the user "jacki" was granted access, and the status code here is a 301 which means the server is telling the browser that it needs to redirect.

devicemanage
Premium Member
join:2002-03-16
Southampton, PA

devicemanage

Premium Member

yes because that was who I logged in as - jacki currently does not have any permissions on that directory. if I was to log in with the spcified account that has access, it says that I logged in with that account.

The only thing I can think of is I have ftp and web settings on the same directory, but I have done that before on a 2003 server without a hitch.