How To Configure User and Group Access on an Intranet in Windows Server 2003


This article describes how to configure user and group access on an intranet in Windows Server 2003.

The World Wide Web (WWW) and File Transfer Protocol (FTP) services that are included with Microsoft Internet Information Services (IIS) are fully integrated with Windows Server 2003 user accounts and file access permissions.

Every access to a resource (for example, a file or an HTML page) is performed by the service on behalf of a Windows user. The service impersonates the user by supplying a user name and password in the attempt to read or run the resource for the client.

To run a secure Web server, you must rigorously control access to Web content. With Windows and IIS security features, you can effectively control how users access Web content. NTFS files system permissions control access to physical directories on the server, and Web permissions control access to virtual directories on the Web site. You can configure Web permissions for specific Web sites, folders, and files on your server. Unlike NTFS permissions, which apply only to a specific user or group of users with a valid Windows account, Web server permissions apply to all users who access your Web site regardless of their specific access rights.

By setting Web server permissions combined with Windows NTFS permissions, you can control how users access your Web content on multiple levels, from the whole Web site to individual files.

How to Set NTFS Permissions for a File or Folder

To set NTFS permissions for a file or folder:
  1. Start Windows Explorer, and then locate the file or folder that you want to set permissions for.
  2. Right-click the file or folder, click Properties, and then click the Security tab.
  3. To configure permissions for a new user or group, click Add. In the Select Users, Computers, or Groupsdialog box, type the name of the user or group that you want to set permissions for, click Check Names to verify the name, and then click OK.
  4. To permit or deny a permission in the Permissions for User or Group list, click the user or group in the Group or user names list, and then click to select the Allow or Deny check box next to the permission that you want to permit or deny.

    Or, to remove the group or user, click the user or group in the
    Group or user names list, and then click Remove.
  5. Click OK.

How to Set Permissions for Web Content

To set permissions for Web content:
  1. Start IIS, or open the Microsoft Management Console (MMC) that contains the IIS snap-in.
  2. Expand ServerName, where ServerName is the name of the server, and then expand Web Sites.
  3. Right-click the Web site, virtual directory, directory, or file that you want to set permissions for, and then click Properties.
  4. Click the Home Directory, Virtual Directory, Directory, or File tab (as appropriate).
  5. Click to select or click to clear any of the following check boxes (if present), as appropriate to the level of Web permissions that you want to set:
    • Script Source Access: To permit users to access source code, select this option. Script Source Access includes source code for scripts, such as scripts in Active Server Pages (ASP)-based programs. Note that this option is available only if either Read or Write permissions are selected.

      NOTE: When you select Script Source Access, users may be able to view sensitive information, such as a user name and password, from scripts in an ASP program. They can also change source code that runs on your server, which can seriously affect the security and performance of your server. It is best to handle access to these types of information and functions through individual Windows accounts and higher-level authentication, such as integrated Windows authentication.
    • Read: To permit users to view or download files or folders and their associated properties, select this option. The Read permissions option is selected by default.
    • Write: To permit users to upload files and their associated properties to the enabled folder on your server, or to change the content or properties of a Write-enabled file, select this option.
    • Directory browsing: To permit users to view a hypertext listing of the files and subfolders in this virtual directory, select this option. Note that virtual directories do not appear in directory listings; users must know the alias of a particular virtual directory.

      NOTE: An "Access Forbidden" error message is displayed by your Web server in a user's Web browser if the user tries to access a file or folder on your server when both of the following conditions are true:
      • Directory browsing is disabled.

      • The user does not specify a file name, such as
        Filename.htm in the Uniform Resource Locator (URL).
    • Log visits: To record visits to this folder in a log file, select this option. A log entry is recorded only if logging is enabled for the Web site.
    • Index this resource: To permit Microsoft Indexing Service to include this folder in a full-text index of the Web site, use this option. This permits users to perform queries on this resource.
  6. Click OK, and then quit IIS Manager, or close the IIS snap-in.
  • When you try to change security properties for a Web site or virtual directory, IIS checks the existing settings on the child nodes (virtual directories and files) that are contained in that Web site or virtual directory. If the permissions set at the lower levels are different, IIS displays an Inheritance Overrides dialog box. To specify which child nodes should inherit the permissions that you set at the higher level, click the node or nodes in the Child Nodes list, and then click OK. The child node or nodes inherit the new permissions settings.
  • If Web permissions and NTFS permissions differ for a folder or a file, the more restrictive of the two settings is used. For example, if you assign a folder Write permissions in IIS, and you grant a particular user group Read permissions in NTFS, those users cannot write files to the folder because the Read permissions setting is more restrictive.
  • If you disable Web server permissions (for example, Read permissions) on a resource, all users are restricted from viewing that resource, regardless of the NTFS permissions setting that is applied to those users' accounts. If you enable Web server permissions (for example, Read permissions) on a resource, all users can view that resource, unless NTFS permissions that restrict access to it are also applied.


For additional information about how to configure security for files and folders, click the following article numbers to view the articles in the Microsoft Knowledge Base:
325361 How To Configure Security for Files and Folders on a Network in Windows Server 2003
For additional information about access control in IIS, see the "Access Control" section in IIS Help. To do this, start IIS Manager, or open the MMC that contains the IIS snap-in. In the console tree, right-click Internet Information Services, and then click Help. Click the Contents tab, expand Internet Information Services, expand Server Administration Guide, expand Security, and then click Access Control.