Comments on: Easiest way to get .htaccess like access control with IIS 6?

Question: Easiest way to get .htaccess like access control with IIS 6?

cheerleaders_to_your_funeral — Thu, 05 Jul 2007 06:49:18 -0800

.htaccess alternative for IIS 6?

What is the easiest way to set up simple access control in IIS 6.0?

Note: High-grade security is not necessary for this. If passwords are sent as plain text, as with .htaccess over http, that's fine.

I'm looking for the simplest solution, preferably something that can password protect a directory and every subdirectory and all their contents (when accessed from the web). No more than one user is needed.

Setup: Windows Small Business Server 2003, with IIS 6. Php is available, but I'm thinking some server setting would be preferable.

By: moochoo

moochoo — Thu, 05 Jul 2007 07:02:35 -0800

a quick piece of googling gave me this

password protect IIS6

By: delmoi

delmoi — Thu, 05 Jul 2007 07:29:17 -0800

*cough* Apache for win32 :P

By: Nothing

Nothing — Thu, 05 Jul 2007 07:40:53 -0800

This is automatic in IIS, isn't it? Just right click on the directory in Explorer and change the permissions to disallow the IUSR_XXX account. Then you will get a login screen when you try to view the directory, and will have to enter a username that does have access to the directory. (You can create a enw user in windows for this.)

By: pb

pb — Thu, 05 Jul 2007 07:42:33 -0800

I'll second Apache for Win32, it's worth the effort to make the move. But take a look at ISAPI_Rewrite if you're sticking with IIS, it works well.

By: pb

pb — Thu, 05 Jul 2007 07:46:41 -0800

On reread, I concur with Nothing. You don't need .htaccess for simple access control. More: How To Configure IIS Web Site Authentication in Windows Server 2003.

By: fishfucker

fishfucker — Thu, 05 Jul 2007 08:08:07 -0800

Another option is IISPassword , a free module that will read htaccess and htpasswd files (for access control only). I've used it in the past (it integrates with HELM, which sadly, we also used), and it works fine. I imagine it's most useful in situations where you need to allow a third party to control access to their directories (on your server) without granting them any rights, so it may be overkill for your situation (if you want to avoid creating a windows user, however, it might be right up your alley).

By: cheerleaders_to_your_funeral

cheerleaders_to_your_funeral — Thu, 05 Jul 2007 10:35:51 -0800

Thanks all. That helps a lot.

(While Apache would be preferable, it's not an option for this client.)

By: hincandenza

hincandenza — Thu, 05 Jul 2007 20:58:29 -0800

If it's just one user, then the "create a low-level windows user, disallow anonymous authentication, and make sure that account has access" is okay.

If you want more than one user, or don't have total control over that web server, you might just try rolling your own: if it's an option, asp.net via the web.config lets you specify a set of non-windows username and password combinations and grant them access to sections of your site, so that you don't have to create an actual Windows user just for authenticated browsing. It's also nice in that it's portable: if you move to a new webserver, your app will move the security with it, seamlessly.

This link has a good example: you pretty much just set up your web.config with authentication settings for that directory, and the list of usernames and passwords, and add a login.aspx page so that people can login (which they'll automatically get sent to if they try to access a resource in that directory without having logged in first).

The only changes are a login.aspx page (which you can copy/paste the code on that site pretty much verbatim) and a section added to the webconfig saying "This sub-section of the site (the path) is restricted, and here are the usernames and passwords that if given will let people into this section". Make those changes, and you're done- and your app security again will move with your app.