Web Permissions Behave Unexpectedly with Script Engines (321506)


The information in this article applies to:

  • Microsoft Internet Information Server 4.0
  • Microsoft Internet Information Server 5.0
  • Microsoft Internet Information Services version 5.1
  • Microsoft Internet Information Services version 6.0
This article was previously published under Q321506
We strongly recommend that all users upgrade to Microsoft Internet Information Services (IIS) version 6.0 running on Microsoft Windows Server 2003. IIS 6.0 significantly increases Web infrastructure security. For more information about IIS security-related topics, visit the following Microsoft Web site:

http://www.microsoft.com/technet/security/prodtech/IIS.mspx

SYMPTOMS

When Web pages such as Active Server Pages (ASP) pages are processed through an extension that uses the Application Mapping setting in IIS for a specific ASP application, unexpected behavior may occur when you try to change the Read permission in the IIS Manager.

CAUSE

Pages that are processed by an extension, such as ASP or SHTML pages, are processed by the server and sent to the client even if Read permission has been removed from the IIS properties of either the Web site or of the page itself. This occurs because the code of the page is processed by the extension engine and the results (instead of the original code) are sent to the client for reading.

WORKAROUND

To effectively limit a user's permission on any file on a Web server, Microsoft recommends that administrators use the NTFS File System permissions for files and folders.

MORE INFORMATION

Internet Information Server (IIS) 4.0 and Internet Information Services (IIS) 5.0 and later allow administrators to determine the Web level permissions for Web sites, virtual directories, and files. For example, permissions may be set to Read, Write, or Index This Resource. The Read permission is set in the Internet Service Manager (ISM) and limits the privileges of users to read the file. In other words, it limits whether or not IIS serves the page to a client.

For additional information about how to secure files and folders with NTFS permissions, click the article numbers below to view the articles in the Microsoft Knowledge Base:

313398 HOW TO: Control NTFS Permissions Inheritance in Windows

300691 HOW TO: Set Up a File System for Secure Access in Windows 2000

Steps to Reproduce the Problem

  1. In Administrative Tools, open the IIS Manager.
  2. Right-click the Web site, and then click Properties.
  3. Click the Home Directory tab.
  4. Click to clear the Read check box, and then click OK.
  5. If the Inheritance Overrides dialog box appears, click Select All, and then click OK.
This disables Web Read permission on all files at the Web site level. If you request an HTML file from the server through a browser, the page does not appear, and you receive the following error message:
The page cannot be displayed
The HTTP error code is 403.2 - Forbidden: Read Access Forbidden.

However, if you request an ASP or SHTML file, or any file that is processed through an extension DLL, the file is processed and the contents are displayed in the browser. Note that any content that is not processed through the extension DLL, such as a graphics file, is also not displayed in the browser.
Modification Type:MinorLast Reviewed:6/23/2005
Keywords:kbpending kbprb KB321506
©2004 Microsoft Corporation. All rights reserved.