HOW TO: Configure User and Group Access on an Intranet in Windows 2000 or Windows NT 4.0 (325358)


The information in this article applies to:

  • Microsoft Windows 2000
  • Microsoft Windows NT 4.0
This article was previously published under Q325358

IN THIS TASK

SUMMARY

This step-by-step article describes how to configure user and group access on an intranet server. The World Wide Web (WWW) and File Transfer Protocol (FTP) services that are included with Microsoft Internet Information Server (also known as IIS) on Windows 4.0 and Microsoft Internet Information Services (also known as IIS) on Windows 2000 are fully integrated with Windows 2000 user accounts and file access permissions.

Every access to a resource (for example, a file, an HTML page, or an Internet Server API [ISAPI] program) is performed by the services on behalf of a Windows user. The service impersonates the user by supplying a user name and password when it tries to read or run the resource for the client.

back to the top

Change the NTFS Permissions for a File or Folder

To change the NTFS file system permissions for a file or folder, perform the procedure that is described in one of the following sections.

For Windows 2000

  1. Click Start, point to Programs, point to Accessories, and then click Windows Explorer.
  2. Locate the file or folder for which you want to set permissions.
  3. Right-click the file or folder, click Properties, and then click the Security tab.
  4. To set up permissions for a new group or user, click Add, type the name of the group or user for which you want to set permissions (use the domain name\user name format), and then click OK.
  5. To change or remove permissions from an existing group or user, click the name of the group or user.
  6. In Permissions, click Allow or Deny for each permission that you want to allow or deny.

    Alternatively, to remove the group or user from the permissions list, click Remove.
NOTE: The Deny permission takes precedence over the Allow permission. If you apply Deny permissions to the Everyone group, the resource may be closed to that level of access by anyone, including the administrator.

For more information about how to change permissions in Windows, see the "Permissions" Help topic in Windows Help.

back to the top

For Windows NT 4.0

  1. Click Start, point to Programs, point to Accessories, and then click Windows Explorer.
  2. Right-click the file or folder for which you want to set permissions, click Properties, click the Security tab, and then click Permissions.
  3. To set up permissions for a new group or user, click Add, type the name of the group or user for which you want to set permissions (use the domain name\user name format), select the type of access that you want to assign, and then click OK.
  4. To change permissions for an existing group or user, click the name of the group or user, select the type of access that you want to assign in Permissions, and then click OK.
  5. To remove the group or user from the permissions list, click Remove.
NOTE: The No Access permission takes precedence over other permissions. If you grant the No Access permissions to the Everyone group, the resource may be closed to that level of access by anyone, including the administrator.

For more information about how to change permissions in Windows, see the "Permissions" Help topic in Windows Help.

back to the top

Change the Virtual Directory or File Security

To change the virtual directory or file security:
  1. Click Start, point to Programs, point to Administrative Tools, and then click Internet Services Manager.
  2. In the Internet Information Services snap-in, right-click a virtual directory, a folder, or a file, and then click Properties.
  3. On the Virtual Directory tab, the Directory tab, or the File tab (as appropriate), click the access control options that you want to use.

    For example, right-click the Scripts virtual directory of the Default Web Site entry, and then click Properties. Click the Virtual Directory tab, and then change the access control options.
You can also use Internet Information Server or Internet Information Services virtual directory access control combined with NTFS access permissions to configure access to specific files in a Web site. After a user is authenticated for the Internet Information Server or Internet Information Services virtual directory, Internet Information Server or Internet Information Services uses the context of the requesting user to gain access to the NTFS file based on the user account, the user rights policy, and the file permissions.

back to the top

List of Access Control Options

The following list describes the access control options:
  • Script Source Access: Use this option to allow users to access source code if either Read permissions or Write permissions are set. Source code includes scripts in Active Server Pages (ASP) programs.

    NOTE: When you use the Script Source Access option, users may be able to view sensitive information, such as a user name and password, from the scripts in an ASP program. They can also change source code that runs on your server, which may seriously affect your server's security and performance. Access to this type of information and functions is best handled through individual Windows accounts and higher-level authentication, such as integrated Windows authentication.
  • Read: Use this option to allow users to read or download files or folders and their associated properties.
  • Write: Use this option to allow users to upload files and their associated properties to the enabled folder on your server or to change the content in a write-enabled file. Writing can be performed only with a browser that supports the PUT feature of the Hypertext Transfer Protocol (HTTP) 1.1 protocol standard.
  • Directory Browsing: Use this option to allow users to see a hypertext listing of the files and subfolders in this virtual directory. Virtual directories do not appear in directory listings; users must know a virtual directory's alias.

    NOTE: The Web server displays an "Access Forbidden" error message in your Web browser if you try to access a file or folder and both of the following conditions are true:
    • Directory browsing is turned off.
    • You do not specify a file name, such as Filename.htm.
  • Log Visits: Use this option to record visits to this folder in a log file. Visits are recorded only if logging is turned on for this Web site.
  • Index This Resource: Use this option to allow Microsoft Indexing Service to include this folder in a full-text index of your Web site.
back to the top

Notes

  • If a virtual directory is on an NTFS drive, the access permissions for the virtual directory must match the settings in Internet Information Server or Internet Information Services. If they do not match, the most restrictive settings are used. For example, if you grant a folder Write permission but you grant a particular user group only Read access permissions in NTFS, those users cannot write files to the folder because the Read permission is more restrictive.
  • When you use NTFS permissions in conjunction with security options in Internet Information Server or Internet Information Services, you can grant or restrict access to specific users or groups to view only the portions of the Web site you want them to view.
back to the top

REFERENCES

For the latest security information, visit the following Microsoft Web site:

http://www.microsoft.com/technet/security

back to the top
Modification Type:MajorLast Reviewed:6/13/2003
Keywords:kbhowto kbHOWTOmaster KB325358 kbAudITPro
©2002 Microsoft Corporation. All rights reserved.