NTFS
NTFS, or NT File System, is the key to successfully protecting Internet Information Services and your Web sites while providing the access necessary for the user utilizing the Web server. NTFS was designed to provide security features for high-end servers and workstations, including those accessed from the Internet. When properly configured, Internet Information Services and Windows 2000 can be used to establish a safe environment for any documents publicly accessed.
For documents from IIS to be protected by Windows 2000 security, these files and directories need to be placed on an NTFS partition. By using NTFS, you ensure the access that users and groups need to the appropriate files and directories in Internet Information Services.
After IIS has validated a user's IP address and Internet domain, account and password, and Web or FTP permissions, it attempts to access the file based on the user's security context. Because the file is physically located on a hard drive within the server, and because Windows 2000 is the underlying operating system, IIS must make a request to Windows 2000 for the file. Windows 2000 then verifies that the user context has the correct NTFS permissions to access the file.
Recall that NTFS permissions include read (R), write (W), execute (X), delete (D) and change permissions (P), and take ownership (O). When these permissions are applied to files accessed by users of Internet Information Services, they provide users with different abilities, depending on the protocol used to access the file.
Some of the abilities provided to users accessing a Web site by using the HTTP protocol or accessing an FTP site by using the FTP protocol include those shown in Table 3.1. Note that different NTFS permissions allow different types of access for IIS users.
| Permission | Description |
|---|---|
| Read (R) | Display physical directory listings View files, including text, graphics, and sounds |
| Download files | |
| Write (W) | Upload files |
| Execute (X) | Execute applications, including .exe and .dll files |
| Execute scripts, including .asp files | |
| Delete (D) | Delete a folder or a file |
| Change Permission | None |
| Take Ownership (O) | None |
Validating a user's NTFS permissions is the last step that Internet Information Services takes when verifying that a user is allowed access to a resource. Therefore, you have the ability to configure other security options before NTFS permissions are ever consulted. However, because NTFS permissions are the final step, it can also be considered the final safety measure, sort of like a football team's kicker having the ultimate responsibility of making sure that the receiver does not return the ball for a touchdown.
After the permissions are established in IIS, the directories need to have their NTFS permissions configured in Windows 2000. Take these steps to accomplish this task:
From Windows Explorer, select the files or directory.
Right-click the file or directory, and click Properties.
Click the Security tab.
If the Security tab does not appear on the Property sheet of a file or directory, the partition is not formatted with NTFS. In this case, reconsider making all partitions NTFS.
Configure the access permissions for the appropriate users and groups by selecting the user or group, and either clearing or selecting the appropriate permission's check box.
Check "Allow inheritable permissions from parent to propagate to this object" if you want this directory or file to get the same permissions as its parent.
In the Access Control Settings dialog box, select a user or group, and click View/Edit to configure specific permission. Click OK when you are finished with this dialog box.
When these steps are completed, close the Properties dialog box. Figure 3.2 shows a sample NTFS configuration.
It is important to remember that the security settings for Internet Information Services and Windows 2000 might conflict, particularly if someone configured the setup incorrectly. If these conflicts exist, the system will take the most restrictive settings.
It is also important to remember that, by default, the Everyone group has full control of all files and directories on newly created NTFS partitions. Refer to Chapter 1, "Installing and Managing IIS," for appropriately planning for Internet Information Services and configuring Windows 2000.