Generally speaking, I would be inclined to do both. It helps if access is somehow granted to the machine via another vector.
Layered security is almost always desirable. *ASB *(Find me online via About.Me <http://about.me/Andrew.S.Baker/bio>) *Exploiting Technology for Business Advantage... * On Wed, Mar 16, 2011 at 4:39 PM, John Hornbuckle < [email protected]> wrote: > I’m no IIS expert (I’ve noticed that my posts to this and the Exchange list > almost always begin with “I’m no [fill in the blank] expert”), so hopefully > someone who spends more time with it than I do can point me in the right > direction. > > > > IIS 7 on Server 2008. > > > > I’ve got a folder on a public website, and I want to make it so that only > certain people can get to it. In the past, I’d have done this by playing > with the ACL settings of the folder so that the IIS accounts didn’t have > access, then grant my users access and use Windows authentication (over SSL) > so they could enter their username and password. > > > > I’m looking at URL authorization rules to do this now, though. It seems > easy enough, but I just can’t seem to get over not changing the ACL of the > underlying folder. It just feels wrong. > > > > Am I just being paranoid? Are authorization rules just as safe/secure as > changing the ACL of the folder? Any “gotchas” to look out for? > > > > > > > > John Hornbuckle > > MIS Department > > Taylor County School District > > www.taylor.k12.fl.us > > > > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin
