Applying Security Using IIS 5.0 (Windows 2000 Server) || |
Microsoft Internet Information Services (IIS) 5.0 bundled with Microsoft Windows 2000 Server uses Active Directory, ADSI, and Directory Services to set/read permissions to provide security for the web pages.
IIS 5.0 uses the native security features of the NTFS file system and Active Directory Users and Computers (or Computer Management Console) to provide security for web pages. In order to password protect ProblemTracker on this web server you must install it on an NTFS file system.
Microsoft Windows 2000 provides tightly integrated and flexible security.
Thus the security permissions on the Windows 2000 directories are very restrictive by default.
- Enable Password Protection
- Start the Internet Services Manager ( Start->Programs->Administrative Tools->Internet Services Manager )
- Double click on the computer/domain name under the folder "Internet Information Services"
- Select the Default Web Site or a Web Site in which the ProblemTracker virtual directories (e.g. ptdev, ptdev2, ptdev3, ptdev4, ptweb etc.) are created.
- Double click on the content directory folder (ptdev or ptweb) in the left window pane. The files included in the ptdev or ptweb folders are displayed in the right window pane.
- For each file or folder that you would like to password protect, repeat the following steps:
- Right click on the file or directory. A pull down menu appears. Select Properties.
- Select the File Security (or Directory Security) tab.
- Press the Edit... button in the Anonymous Access and Authentication Control.
- Unselect Allow Anonymous Access.
- Select Basic Authentication. A warning dialog box will pop up. Press Yes. Press the Edit... button for Basic Authentication.
- An input dialog for Basic Authentication Domain will pop up. Select the appropriate domain for your web Server. In most cases it should be the local domain. If so, select Use Default and press OK.
- Press Ok in the Authentication Method dialog box.
- Press Apply and then OK in the Properties dialog box.
- Define Windows 2000 Users
- Start the Computer Management Console ( Start->Programs->Administrative Tools->Computer Management ). If your server is a domain controller, then Start Active Directory Users and Computers Start->Programs->Administrative Tools->Active Directory Users and Computers ).
- Click on the folder which displays the local users and groups.
- You should see the default user you added to allow anonymous access to the web server (IUSR_HostName, where HostName is the name of your machine). Click Action on the tool bar at the top. Click New->User from the pulldown menu.
- Enter the user name and the logon name you'd like to use limit access to ProblemTracker (for example, an Administrator named "ptadmin") and click "Next" button. In the next dialog, enter the
password and uncheck all the check boxes except for the one labeled "Password Never Expires" and click "Next" button. If the next dialog, if you wish to create an Exchange mailbox account, then check the option "Create an Exchange Mailbox" and give the necessary values and click "Next" button. A summary of the user list will be displayed, now click "Finish".
- Right click on the newly created user (for example "ptadmin") and click "Properties" from the pulldown menu.
- In the new dialog, click "Member of" tab. Click "Add" button choose the desired groups from the list of groups displayed and click "Add" button and then click "OK" twice to close the two dialogs.
In general only the Guests and Users groups are necessary.
- Use Console->Exit to close Computer Management Console or Active Directory Users and Computers.
- Set File/Directory Security on Windows 2000 Server
- Start the Windows 2000 Explorer ( Start->Programs->Accessories->Windows Explorer )
- Select the directory where ProblemTracker is installed, either ptdev or ptweb.
- In the right pane of the Explorer, select the directory or file(s) you would like to limit access to. You can select multiple items by holding down the Control key as you click on files.
- With the files or the directory highlighted, select the "File->Properties" menu or right click and choose Properties menu, and click on the Security tab of the dialog.
- By default "Everyone" in the list will have all the check boxes checked (and grayed) under the column "Allow" and none checked under the column "Deny".
- Delete the default permission for "Everyone" and any others that grant access to anyone you do not wish to have access to the selected directory or files, by selecting those users and clicking the "Remove" button. If you do not wish for an individual to see a web page, make sure the user does not have Read checkbox checked under the column "Allow" (or if the Read checkbox is checked and grayed then check the Read checkbox under the column "Deny") for the file or directory.
- Press the "Add..." button to display the "Select Users, Computers and Groups" dialog. Under "Look In:" select your Windows 2000 domain name. Now add any particular user/group (for example "ptadmin" you would like to give access the selected directory or files by selecting their names (press Cntrl to select multiple users/groups), and pressing the "Add" button. The users/groups will be listed in the list below. Now click "OK" to close this dialog. The users/groups chosen will get added to the list. You can grant/deny permissions for each user/group by checking/unchecking the checkboxes under the columns "Allow" and "Deny".
- Refer to the table in the Web Server Security Overview section to determine which content directories and program files you would like to protect based upon function. Then repeat the process described here for each of the directory.