Lock down a group to a folder

CrazyLlama · 21 Nov 2010

Hi everyone,

I am trying to lock down a group to a single folder called "Media" in C:\inetpub\wwwroot So far I have created a group called "LockedDown", created a local user called "IIS_IUSR", removed user from "User" group and added user to "LockedDown" group. I gave LockedDown read and execute permissions in the inetpub folder but I want to explicitly deny the LockedDown group permissions everywhere else. I keep getting an error when trying to deny access to the system32 file and then does not apply the permissions.

Is the fact that I have removed the IIS_USER user from the "Users" group enough or is it better to explicitly deny access everywhere I do not want the user to go? If it is better to deny the access then what is best way to accomplish this or am I on the right track?

I appreciate everyone's time.

Thanks

patwhatsthat · 21 Nov 2010

I think that you will find that expicitly denying permissions is generally consider a bad practice in order to do so on any subcontainer you would need to break inheritance from it's parent folder being very careful to copy existing permission as they exist currently and then proceeding with the explicit denial. A critical folder like the system32 folder only compounds the danger and can result in disasterous effects so I would suggest that if you proceed you use extreme caution. (restore point and complete known good current system image.)

kegobeer · 21 Nov 2010

What guide are you following on how to configure IIS?

CrazyLlama · 22 Nov 2010

Well, actually, no guide. But, the idea was inspired by this guide: Lockdown by group using Local Computer Policy without Active Directory

That is why I figured I would come and ask all of you very helpful folks if I am doing the right thing. I know that after XP permissions had changed a bit. I know that IIS is installed and "works" because I can type my dyndns address and see my index of files. I just want to make sure that is all that everyone else can see/access.

With Patwhatsthat's information, I guess my approach is at least partially incorrect because I do not want to break inheritance from it's parent folder. That would be a nightmare or impossible to correct. So, is there an easier way to lock users into only accessing only one folder? I guess I am wanting to do the same thing that chroot does in Linux. I just thought this was the best way in Windows to get this accomplished.

kegobeer · 22 Nov 2010

I highly recommend you start out by reading a guide or two about IIS before you go any further. How it works and how to protect directories will be part of any good guide. It's definitely not the same as setting up a webserver on a Linux box.