Taking user out of MACHINENAME\Users group does not disallow them from authenticating with IIS site

Posted by jayrdub on Server Fault See other posts from Server Fault or by jayrdub
Published on 2009-09-16T18:35:31Z Indexed on 2010/04/11 5:03 UTC
Read the original article Hit count: 228

Filed under:

iis6

|

security

I have a site that has anonymous access disabled and uses only IIS basic authentication. The site's home directory only has the MACHINENAME\Users group with permissions. I have one user that I don't want to be able to log-in to this site, so I thought all I would need to do is take that user out of the Users group, but doing so still allows him to authenticate. I know it is the Users group that is allowing authentication because if I remove that group's permissions on the directory, he is not allowed to log in.

Is there something special about the Users group that makes it so you are actually always a part of it?

Is the only solution to revoke the Users group's permissions on the site's home directory and grant a new group access that contains only the allowed users?

© Server Fault or respective owner

Related posts about iis6

Best way to migrate from IIS6 to IIS6

as seen on Stack Overflow - Search for 'Stack Overflow'
Hi, I need to move all my sites on a server with IIS 6 to another one, that has same OS (Windows Server 20003) and same IIS version. I'm trying to understand which is the best way to do it. Searching on Google I've found that there are at least 2 methods, one uses IIS Migration Tool, and another… >>> More
Best way to migrate from IIS6 to IIS6

as seen on Server Fault - Search for 'Server Fault'
Hi, I need to move all my sites on a server with IIS 6 to another one, that has same OS (Windows Server 20003) and same IIS version. I'm trying to understand which is the best way to do it. Searching on Google I've found that there are at least 2 methods, one uses IIS Migration Tool, and another… >>> More
IIS6 all websites displays another site when using https

as seen on Server Fault - Search for 'Server Fault'
I have the following websites set up in iis 6. site1.com site2.com site3.com Accessing site1 is via the address https://site1.com. Accessing site2 and site three should be through http. When I try to access https://site2.com it displays the website of https://site1.com. How can I stop this. I either… >>> More
IIS6 Log time recording problems

as seen on Server Fault - Search for 'Server Fault'
On three separate occasions on two separate servers at nearly the same times, 6.9 hours seemingly went by without any data being written to the IIS logs, but, on closer inspection, it appears that it was all recorded all at once. Here's the facts as I know them: Windows Server 2003 R2 w/ IIS6 Logging… >>> More
IIS6 - 301 permanent redirect response accessing an asp.net web site

as seen on Stack Overflow - Search for 'Stack Overflow'
I've installed an ASP.NET 2.0 virtual directory application on the default web site in IIS6 (Windows 2003 computer) with a Visual Studio generated web deployment setup. Unfortunately, following a successfull installation, I'm unable to access our web site. I get a permanent redirect from IIS as shown… >>> More

Related posts about security

sudo apt-get update errors

as seen on Ask Ubuntu - Search for 'Ask Ubuntu'
Here is what I get on my terminal when running sudo apt-get update errors. I dont know if the issue is from my sources.list or my proxy setup(have not made any changes to proxies). Thank you for any help in advanced. Ign http://security.ubuntu.com oneiric-security Release.gpg Ign http://security… >>> More
The Security-Developer Gap: Why IT Security Can't Fix Your Security Problems Alone

as seen on Devx - Search for 'Devx'
Two well-known white hats explain how hackers take advantage of security holes left by enterprise application developers. >>> More
The Security-Developer Gap: Why IT Security Can't Fix Your Security Problems Alone

as seen on Internet.com - Search for 'Internet.com'
Two well-known white hats explain how hackers take advantage of security holes left by enterprise application developers. >>> More
StackOverFlowError while creating Mac object on AS400/Java

as seen on Stack Overflow - Search for 'Stack Overflow'
Hello all, I am a newbie to AS400-Java programming. I am trying to create my first program to test the implementation of Message Authentication Code (MAC). I am trying to use the HMACSHA1 hash function. My (Java 1.4) program runs fine on a dev box (V5R4).But fails terribly on the QA box (V5R3). My… >>> More
Google App Engine - Spring Security Issue (java.security.AccessControlException)

as seen on Stack Overflow - Search for 'Stack Overflow'
I'm currently getting the AccessControlException below when I deploy to app engine (I don't see it when I run in my local environment). I'm using GAE 1.3.1, Spring 3.0.1, and Spring Security 3.0.2. Any ideas how to get around this issue? It appears to be an issue with Spring Security trying to get… >>> More