I'm not sure if I'd do both... If I did ACL, that would seem to cover me and make URL authorization unnecessary. I think the reason the ACL path makes me comfortable is that it seems to be done at a lower level than URL authorization.
But URL authorization is really easy to setup. If there's no reason to think it's less secure than the old ACL method, I'll go that way. Thought it was OT because IIS isn't really NT. But, I reckon it's less OT than a lot of the other stuff we end up yammering about here! :) From: Brian Desmond [mailto:[email protected]] Sent: Wednesday, March 16, 2011 7:29 PM To: NT System Admin Issues Subject: RE: OT: URL Authorization Rules in IIS 7 Not sure why this is "OT"? The authorization rules should be fine, but, I would stick with whatever you're more comfortable with. Personally I don't advocate duplicating config in multiple places as it becomes a support nightmare. Thanks, Brian Desmond [email protected]<mailto:[email protected]> w - 312.625.1438 | c - 312.731.3132 From: Andrew S. Baker [mailto:[email protected]] Sent: Wednesday, March 16, 2011 1:59 PM To: NT System Admin Issues Subject: Re: OT: URL Authorization Rules in IIS 7 Generally speaking, I would be inclined to do both. It helps if access is somehow granted to the machine via another vector. Layered security is almost always desirable. ASB (Find me online via About.Me<http://about.me/Andrew.S.Baker/bio>) Exploiting Technology for Business Advantage... On Wed, Mar 16, 2011 at 4:39 PM, John Hornbuckle <[email protected]<mailto:[email protected]>> wrote: I'm no IIS expert (I've noticed that my posts to this and the Exchange list almost always begin with "I'm no [fill in the blank] expert"), so hopefully someone who spends more time with it than I do can point me in the right direction. IIS 7 on Server 2008. I've got a folder on a public website, and I want to make it so that only certain people can get to it. In the past, I'd have done this by playing with the ACL settings of the folder so that the IIS accounts didn't have access, then grant my users access and use Windows authentication (over SSL) so they could enter their username and password. I'm looking at URL authorization rules to do this now, though. It seems easy enough, but I just can't seem to get over not changing the ACL of the underlying folder. It just feels wrong. Am I just being paranoid? Are authorization rules just as safe/secure as changing the ACL of the folder? Any "gotchas" to look out for? John Hornbuckle MIS Department Taylor County School District www.taylor.k12.fl.us<http://www.taylor.k12.fl.us> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected]<mailto:[email protected]> with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected]<mailto:[email protected]> with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin
