A very weird issue that never encountered with Windows Server 2003: when configuring basic authentication to restrict access to specific directories in IIS7 I've done the following:
- Enabled basic authentication and disabled anonymous authentication for specific directories within IIS7
- Created three Active Directory groups: site.com Staff, site.com Members, site.com Something.
- Created multiple accounts and added to applicable group.
- Given Read & Execute NTFS permissions to a specific domain group/s to three areas of an IIS7 site
However, any domain account from any of the three groups can access any of the other three areas of the site once logged in. The only way to truly lock down a directory is not only providing read rights to the applicable group, but denying access to the groups that should not have access. This does not make sense apart from the fact that of course, a member of the Domain Users group is a part of the Local Users group, and you cannot deny access to either for the directories in question.
What obvious thing am I missing?
Update: Embarrassed to say that this was a pretty obvious one and has nothing to do with Win2003 vs. Win2008.
For all applicable directories/files:
- Enable Basic Authentication in IIS, and remove anonymous.
- Remove inheriting permissions (with copy to make things easy)
- Remove local Users group access
- Grant the applicable domain groups read access
- Add Network Service read access (this is specific for IIS7 because of the integrated pipeline)
As you can see, the only Win2003 vs. Win2008 issue is granting Network Service access to the resource in question.
Best Answer
Troubleshooting permissions problems can be a challenge but at the end of the day here's what I think:
The users are able to access the directories regardless of their membership in the groups you've created because the users are members of the local users group, which has access to the directories. For the most part, permissions are cumulative and the least restrictive permissions apply except in cases of explicitly defined permissions (Allow or Deny). In order to achieve your desired restrictions you have two choices:
Do what you've already done and define an explicit Deny on the directories to the groups that you don't want to have access.
Remove permissions inheritance from the directories, remove the local users group from the permissions on the directories and define an explicit Allow on the directories to the groups that you do want to have access.