Re: Can not access web directory in Win2k3 with anonymous access d

From: Kristofer Gafvert (kgafvert_at_NEWSilopia.com)
Date: 03/20/05 

Date: Sun, 20 Mar 2005 12:07:44 -0800

Hello,

IIS does not bypass NTFS security. If the user (you try to log on as) is
not allowed read access to the files, the user will be denied access to
the file.

When Anonymous Authentication is used, the anonymous user account is used
to access the file on the file system.

As for being prompted to log on, see this KB Article:

"Internet Explorer May Prompt You for a Password"
http://support.microsoft.com/?id=258063

A guess is that your website is not in the intranet zone, so IE does not
automatically send logon credentials. 

-- 
Regards,
Kristofer Gafvert
www.gafvert.info - My Articles and help
www.ilopia.com
chuck rudolph wrote:
> David, Here is an update: I can NOW get to the protected web site from a
> domain computer when I am signed into the domain BUT when IE accesses 
the web
> the user is prompted to log in. My reading of the document says that an
> authenticated user should not be prompted for new creds. The log follows.
>
> I found the policy that was only allowing Guest, and Guests to access the
> computer remotely. I added Everyone to get where I am now. Do I need to 
add
> Authenticated Users to get where I want to go?
>
> Thanks...Chuck
>
>
> **** Anony disallowed, access from a domain member ie ****
>
> #Software: Microsoft Internet Information Services 6.0
> #Version: 1.0
> #Date: 2005-03-20 19:14:04
> #Fields: date time s-ip cs-method cs-uri-stem cs-uri-query s-port
> cs-username c-ip cs(User-Agent) sc-status sc-substatus sc-win32-status
> 2005-03-20 19:14:04 10.10.1.103 GET /test - 80 - 10.10.1.104
> 
Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.2;+.NET+CLR+1.1.4322;+.NET+CLR+2.0.40607) 401 2 2148074254
> 2005-03-20 19:14:19 10.10.1.103 GET /test - 80 SBS\Administrator 
10.10.1.104
> 
Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.2;+.NET+CLR+1.1.4322;+.NET+CLR+2.0.40607) 301 0 0
> 2005-03-20 19:14:19 10.10.1.103 GET test - 80 - 10.10.1.104
> 
Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.2;+.NET+CLR+1.1.4322;+.NET+CLR+2.0.40607) 401 2 2148074254
> 2005-03-20 19:14:19 10.10.1.103 GET /test/Default.htm - 80 
SBS\Administrator
> 10.10.1.104
> 
Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.2;+.NET+CLR+1.1.4322;+.NET+CLR+2.0.40607) 200 0 0
>
>
> "David Wang [Msft]" wrote:
>
> > Please provide the web server logs for the failing requests in 
question. I
> > want to see all the 401 errors with substatus/win32 error codes
> >
> > --
> > //David
> > IIS
> > http://blogs.msdn.com/David.Wang
> > This posting is provided "AS IS" with no warranties, and confers no 
rights.
> > //
> > "chuck rudolph" <chuckrudolph@discussions.microsoft.com> wrote in 
message
> > news:654ADABC-5773-4642-8F01-0CD0CC5794FB@microsoft.com...
> > I am sure this has something to do with a missing (or extra) domain 
security
> > policy. Here is the scoop. I have a domain controller and a member 
server.
> > The member server is running IIS 2k3 with all the lastest "windows 
update".
> > I
> > create a vir. dir. on the server and in it a simple .htm. With 
anonymous
> > access enabled, I can open this file from the domain controller 
running IE.
> > When I turn anonymous access off and have Integrated Windows 
Authentication
> > turned on, I get a prompted to log in. Even providing the correct 
signon
> > does
> > not allow me access. (The login on the domain controller is a domain 
admin.)
> > This of course works when I do not have the member server in the 
domain. The
> > member server and domain controller (also 2k3) are "out of the box" 
test
> > setups -- so I am pretty sure that I am missing some security policy. 
Any
> > help is appreciated.
> >
> >
> >

Relevant Pages

  • RE: NT/IIS decoy
    ... Does anyone know how to hide or mask the identity of a IIS 4.0 or 5.0 server ... Principal Security Consultant ... Best Individual Income Protection Provider 2001 - Health Insurance Magazine ...
    (Pen-Test)
  • Re: IIS6 on W2k3 DCs
    ... How many times in big server land do I see folks that don't have backups ... >But Small Business Server 2003 runs with IIS on our domain controller. ... >Where's MY security risks these days? ... >>By referring to numerous security guides written specifically for NT4 ...
    (Focus-Microsoft)
  • Re: SBS 2003 After Service Pack 1 for SBS
    ... Controllers" groups have been added to the new CERTSVC_DCOM_ACCESS security ... we can have Certificate Services update the DCOM security settings ... down time for the server - probably over a weekend. ... Then please run command "iisreset" to refresh IIS ...
    (microsoft.public.windows.server.sbs)
  • Re: REPOST: IIS4 Security Advice
    ... Well, I assume you know you need more than the latest IIS security patch, ... win 2000, one for IIS, one for Index Server, etc.] ... After installing iislockdown ...
    (microsoft.public.inetserver.iis.security)
  • [NT] Cumulative Patch for Internet Information Services
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... security patches released for IIS 4.0 since Windows NT 4.0 Service Pack ... encoding transfer mechanism via Active Server Pages in IIS 4.0 and 5.0. ... attacker who exploited this vulnerability could overrun heap memory on the ...
    (Securiteam)
Quantcast