Overview

Microsoft Internet Information Services (IIS) 5.0 bundled with Microsoft Windows 2000 Server uses Active Directory, ADSI, and Directory Services to set/read permissions to provide security for the web pages. IIS 5.0 uses the native security features of the NTFS file system and Active Directory Users and Computers (or Computer Management Console) to provide security for web pages. In order to password protect ProblemTracker on this web server you must install it on an NTFS file system. Microsoft Windows 2000 provides tightly integrated and flexible security. Thus the security permissions on the Windows 2000 directories are very restrictive by default.

Instructions

The following instructions assume a workgroup named pteval is installed. For your workgroup, substitute your workgroup name for "pteval" in the steps below.

Enable Password Protection

1. Start the Internet Services Manager (Start -> Programs -> Administrative Tools -> Internet Services Manager).
2. Double click on the computer/domain name under the folder "Internet Information Services".
3. Select the Default Web Site or a Web Site in which the ProblemTracker virtual directories (e.g. ptdev) are created.
4. Double click on the content directory folder (e.g. "pteval") in the left window pane. The files included in the pteval folders are displayed in the right window pane.
5. For each file or folder that you would like to password protect, repeat the following steps:
   1. Right click on the file or directory. A pull down menu appears. Select Properties
   2. Select the File Security (or Directory Security) tab
   3. Click on the Edit... button in the Anonymous Access and Authentication Control
   4. Uncheck the box for Allow Anonymous Access
   5. Check the box for Basic Authentication. A warning dialog box will pop up. Select "Yes". Click on the Edit... button for Basic Authentication.
   6. An input dialog for Basic Authentication Domain will pop up. Select the appropriate domain for your web Server. In most cases it should be the local domain. If so, select Use Default and click on the OK button.
   7. If desired, select Integrated Windows authentication (Note: this method of authentication is only supported by Internet Explorer).
   8. Click OK in the Authentication Method dialog box.
   9. Click Apply and then OK in the Properties dialog box.

Set File/Directory Security on Windows 2000 Server

The following procedure provides the steps for setting the file permissions for use with Basic and Integrated Windows Authentication.

1. Refer to the Default Security table in the Web Server Security Overview section for the permissions required for users to access ProblemTracker. For all users that need to access ProblemTracker workgroups (e.g. "pteval"), please grant them the permissions listed on the table for the user "PUSR4HOSTNAME". For all users that need to access the Workgroup Management System (WMS), please grant them the permissions listed on the table for "Administrators" (or instead of granting specific permissions simply add these users that need to access WMS to the local Administrators user group on the machine where ProblemTracker is installed). To grant these permissions using the sub-steps below. Without these required permissions, users may encounter errors when trying to use ProblemTracker or the Workgroup Management System with basic and/or Integrated Windows authentication enabled.
   1. Start the Windows 2000 Explorer (Start -> Programs -> Accessories -> Windows Explorer)
   2. Select the directory referenced in the Default Security table
   3. In the right pane of the Explorer, select the directory or file(s) you would like to limit access to. You can select multiple items by holding down the CTRL key on your keyboard as you click on files.
   4. With the files or the directory highlighted, go to the File -> Properties menu or right click and choose the Properties menu, then click on the Security tab of the dialog
   5. By default "PUSR4<HOSTNAME>" where <HOSTNAME> is the TCP/IP name of the server where ProblemTracker is installed will have all the check boxes checked (and grayed) under the column Allow and none checked under the column Deny.
   6. Delete the default permission for "PUSR4<HOSTNAME>" and any others that grant access to anyone you do not wish to have access to the selected directory or files, by selecting those users and clicking the Remove button. If you do not wish for an individual to see a web page, make sure the user does not have Read checkbox checked under the column Allow (or if the Read checkbox is checked and grayed then check the Read checkbox under the column Deny) for the file or directory.
   7. Press the Add... button to display the "Select Users, Computers and Groups" dialog. Under "Look In:" pulldown, select your Windows 2000 domain name. Now add any particular user/group (for example "Administrator" you would like to give access the selected directory or files by selecting their names (press Ctrl to select multiple users/groups), and pressing the Add button. The users/groups will be listed in the list below. Now click OK to close this dialog. The users/groups chosen will get added to the list. You can grant/deny permissions for each user/group by checking/unchecking the checkboxes under the columns Allow and Deny.
2. Refer to the ProblemTracker Organization table in the Web Server Security Overview section to determine which content directories and program files you would like to protect based upon function. To grant these permissions using the sub-steps below:
   1. Start the Windows 2000 Explorer (Start -> Programs -> Accessories -> Windows Explorer)
   2. Select the directory referenced in the ProblemTracker Organization table
   3. In the right pane of the Explorer, select the directory or file(s) you would like to limit access to. You can select multiple items by holding down the CTRL key on your keyboard as you click on files.
   4. With the files or the directory highlighted, go to the File -> Properties menu or right click and choose the Properties menu, then click on the Security tab of the dialog
   5. By default "PUSR4<HOSTNAME>" where <HOSTNAME> is the TCP/IP name of the server where ProblemTracker is installed will have all the check boxes checked (and grayed) under the column Allow and none checked under the column Deny.
   6. Delete the default permission for "PUSR4<HOSTNAME>" and any others that grant access to anyone you do not wish to have access to the selected directory or files, by selecting those users and clicking the Remove button. If you do not wish for an individual to see a web page, make sure the user does not have Read checkbox checked under the column Allow (or if the Read checkbox is checked and grayed then check the Read checkbox under the column Deny) for the file or directory.
   7. Press the Add... button to display the "Select Users, Computers and Groups" dialog. Under "Look In:" pulldown, select your Windows 2000 domain name. Now add any particular user/group (for example "Administrator" you would like to give access the selected directory or files by selecting their names (press Ctrl to select multiple users/groups), and pressing the Add button. The users/groups will be listed in the list below. Now click OK to close this dialog. The users/groups chosen will get added to the list. You can grant/deny permissions for each user/group by checking/unchecking the checkboxes under the columns Allow and Deny.

WMS Operations that can impact your Custom Security Settings

The Repair, Move, and Upgrade operations that can be performed in the Workgroup Management System can reset the customized security you have applied to the locations listed in the table above. Before you use the Repair, Move, or Upgrade operations, it is recommended that you take note of the security scheme you have applied, then re-apply these changes after using one of those operations.

For more information on the WMS operations, please refer to the following sections in the WMS Help Guide:

Repairing a Workgroup
Moving a Workgroup
Upgrading a Version 3 Workgroup
Upgrading a Version 4 or 5 Workgroup