Easiest way to get .htaccess like access control with IIS 6?
July 5, 2007 6:49 AM Subscribe
.htaccess alternative for IIS 6?
What is the easiest way to set up simple access control in IIS 6.0?
Note: High-grade security is not necessary for this. If passwords are sent as plain text, as with .htaccess over http, that's fine.
I'm looking for the simplest solution, preferably something that can password protect a directory and every subdirectory and all their contents (when accessed from the web). No more than one user is needed.
Setup: Windows Small Business Server 2003, with IIS 6. Php is available, but I'm thinking some server setting would be preferable.
What is the easiest way to set up simple access control in IIS 6.0?
Note: High-grade security is not necessary for this. If passwords are sent as plain text, as with .htaccess over http, that's fine.
I'm looking for the simplest solution, preferably something that can password protect a directory and every subdirectory and all their contents (when accessed from the web). No more than one user is needed.
Setup: Windows Small Business Server 2003, with IIS 6. Php is available, but I'm thinking some server setting would be preferable.
This is automatic in IIS, isn't it? Just right click on the directory in Explorer and change the permissions to disallow the IUSR_XXX account. Then you will get a login screen when you try to view the directory, and will have to enter a username that does have access to the directory. (You can create a enw user in windows for this.)
posted by Nothing at 7:40 AM on July 5, 2007
posted by Nothing at 7:40 AM on July 5, 2007
I'll second Apache for Win32, it's worth the effort to make the move. But take a look at ISAPI_Rewrite if you're sticking with IIS, it works well.
posted by pb at 7:42 AM on July 5, 2007
posted by pb at 7:42 AM on July 5, 2007
On reread, I concur with Nothing. You don't need .htaccess for simple access control. More: How To Configure IIS Web Site Authentication in Windows Server 2003.
posted by pb at 7:46 AM on July 5, 2007
posted by pb at 7:46 AM on July 5, 2007
Another option is IISPassword , a free module that will read htaccess and htpasswd files (for access control only). I've used it in the past (it integrates with HELM, which sadly, we also used), and it works fine. I imagine it's most useful in situations where you need to allow a third party to control access to their directories (on your server) without granting them any rights, so it may be overkill for your situation (if you want to avoid creating a windows user, however, it might be right up your alley).
posted by fishfucker at 8:08 AM on July 5, 2007
posted by fishfucker at 8:08 AM on July 5, 2007
Response by poster: Thanks all. That helps a lot.
(While Apache would be preferable, it's not an option for this client.)
posted by cheerleaders_to_your_funeral at 10:35 AM on July 5, 2007
(While Apache would be preferable, it's not an option for this client.)
posted by cheerleaders_to_your_funeral at 10:35 AM on July 5, 2007
If it's just one user, then the "create a low-level windows user, disallow anonymous authentication, and make sure that account has access" is okay.
If you want more than one user, or don't have total control over that web server, you might just try rolling your own: if it's an option, asp.net via the web.config lets you specify a set of non-windows username and password combinations and grant them access to sections of your site, so that you don't have to create an actual Windows user just for authenticated browsing. It's also nice in that it's portable: if you move to a new webserver, your app will move the security with it, seamlessly.
This link has a good example: you pretty much just set up your web.config with authentication settings for that directory, and the list of usernames and passwords, and add a login.aspx page so that people can login (which they'll automatically get sent to if they try to access a resource in that directory without having logged in first).
The only changes are a login.aspx page (which you can copy/paste the code on that site pretty much verbatim) and a section added to the webconfig saying "This sub-section of the site (the path) is restricted, and here are the usernames and passwords that if given will let people into this section". Make those changes, and you're done- and your app security again will move with your app.
posted by hincandenza at 8:58 PM on July 5, 2007
If you want more than one user, or don't have total control over that web server, you might just try rolling your own: if it's an option, asp.net via the web.config lets you specify a set of non-windows username and password combinations and grant them access to sections of your site, so that you don't have to create an actual Windows user just for authenticated browsing. It's also nice in that it's portable: if you move to a new webserver, your app will move the security with it, seamlessly.
This link has a good example: you pretty much just set up your web.config with authentication settings for that directory, and the list of usernames and passwords, and add a login.aspx page so that people can login (which they'll automatically get sent to if they try to access a resource in that directory without having logged in first).
The only changes are a login.aspx page (which you can copy/paste the code on that site pretty much verbatim) and a section added to the webconfig saying "This sub-section of the site (the path) is restricted, and here are the usernames and passwords that if given will let people into this section". Make those changes, and you're done- and your app security again will move with your app.
posted by hincandenza at 8:58 PM on July 5, 2007
This thread is closed to new comments.
password protect IIS6
posted by moochoo at 7:02 AM on July 5, 2007