Controlling Access to Your Web Site with IIS and NTFS Security Permissions

Outside of authentication, the most common way to secure the contents of your Web site is through the use of permissions. As you learned earlier, the Home Directory tab in the properties of a Web site includes a section with 4 permissions listed: Script source access, Read, Write, and Directory browsing. By default, only the Read permission is enabled, which allows users to view a Web page, but not change it. If the Write permission is enabled, users can change pages via FTP, FrontPage, or similar programs. The Directory browsing permission is one that you may be familiar with from surfing the Web – when enabled, a user can view a listing of all files stored in a directory, and click on hyperlinks to access them – an example is shown below. Finally, the script source access permission allows scripts stored in a directory to be run. Most commonly, this permission is enabled for directories dedicated to holding scripts, such as a CGI-BIN folder. As a general rule, leave the permissions for a site set to Read, unless you specifically want to use a feature like Directory browsing, since it’s much safer setting for your pages and will apply to all users who connect to your server.

In much the same way that NTFS permissions can be used to secure local files and folders on your system, they can also be used to obtain a more granular level of control over who can connect to certain Web site directories or files. For example, if you access the Security tab in the properties of a file or folder under C:\Inetpub\wwwroot, you can configure specific permissions for different user or group accounts that you may have created. As a general rule, use IIS permissions as your first line of security, and use NTFS permissions for more control when necessary. Of course, your Web site will need to be stored on an NTFS partition to be able to make use of these permissions.

Converting Drives to the NTFS File System with the CONVERT Utility

Windows XP supports three different file systems – FAT, FAT32, and NTFS. Although the FAT32 file system is a reasonable and well-performing file system for large partitions, it does lack one key feature, namely security. In order to be able to secure files and folders with security permissions (as well as use features like file system encryption and compression), you need to be using NTFS. Many vendors ship XP systems with all partitions formatted using the FAT32 file system, but this doesn’t have to be an issue. Windows XP includes the command line CONVERT utility to allow you to convert existing FAT or FAT32 partitions to NTFS without losing any of the data stored on those drives. In other words, this command avoids the need to format any partitions to change the file system.

To change a partition like D: from FAT to NTFS, type CONVERT d: /fs:ntfs at the prompt and let XP change it. If the drive is currently in use, it will be convert when you next reboot. Note that the CONVERT command can be used to convert FAT or FAT32 partitions to NTFS, but not vice versa.

What is a Disk Cluster?

Also known as “allocation units”, clusters are essentially units of disk space as defined by a file system like FAT32 or NTFS during the partition formatting process. When files are saved to disk, they are stored in as many clusters as necessary to save the complete file. For example, if an NTFS partition is configured with a 4 K cluster size, a 32 K file would be saved using a total of 8 clusters. When a disk is defragmented, files are saved to contiguous disk clusters.

Formatting Drives and Choosing File Systems

Once a disk partition is defined, it needs to be formatted with a file system to be used. Depending on the operating system installed, your choices include FAT, FAT32, and NTFS. For all intents and purposes, stick to FAT 32 if you’re running Windows 98/ME, and NTFS if you’re running XP. The old FAT file system supports much smaller partition sizes, and space is used very inefficiently on the disk as larger partitions are defined. For XP systems, NTFS provides the added benefit of allowing you to set security permissions on individual files and folders. If you’re planning a dual-boot system, remember that Windows 9X/ME systems do not support NTFS – stick with FAT32 if that’s the route you’re planning to take.

When creating a new partition in Windows XP, you have the option of configuring what is known as the allocation unit size. While the operating system will use the default allocation size considered optimal based on the size of the partition, this setting can also be changed.

Generally speaking, a smaller allocation unit size is better is you’re typically saving small files to disk, and a larger (usually the default) size is better when you’re saving large files. The allocation unit chosen can impact available disk space considerably. For example, if a 32K cluster size is used, saving a 1K file to disk would make the other 31K in that cluster unavailable. With a 4K cluster size, that same file would only waste 3K. As a general rule, stick with the default size that Windows suggests, although you can attempt to tweak and tune this setting according to how the partition will be used.

Securing XP Home Systems with XP Professional Permissions

If you’re running Windows XP Home, the Simple File Sharing is enabled by default, and unlike in Windows XP Professional, there is no easy way to turn it off. While some users will find this version of file sharing simple to use, it does lack much of the granularity typically associated with assigning NTFS and shared folder permissions for individual users. For example, with each of the 5 configurable security levels outlined in this article, the permissions assigned to the owner or other users is basically of the “take it or leave it” variety – you cannot use this sharing facility to assign unique or different permissions to individual users.

Thankfully, if you want a more granular level of control over how NTFS and shared folder permissions are assigned on an XP Home system, all is not lost. The traditional NTFS and shared folder permissions available in Windows XP and Windows 2000 Professional can be accessed on a Windows XP Home system by booting into Safe Mode, where Simple File Sharing is disabled.

Once booted into Safe Mode on an XP Home system, you can right-click on a particular folder or file, click Properties, and the traditional Security tab is exposed, as shown at right. From this interface, you’re able to see not only the permissions that Windows XP Home applies for a given security level, but also customize the permissions for individual users. For example, let’s say that you have created an additional user account named Paul on your XP Home system. You could then use the security tab to add Paul’s user account and configure the exact permissions that should be applied to this user. Although these permissions will not be visible when you reboot the system normally, the unique permissions assigned to the Paul user account will still apply regardless. The Sharing tab allows you to configure traditional shared folder permissions in a similar manner.

Consider using this method to configure NTFS and shared folder permissions when none of the Simple File Sharing security levels works for you. The solution may not be perfect (why should we have to boot into Safe Mode to access these?) but it does provide a method to get at the NTFS security structure that Microsoft has in its “wisdom” decided to hide from XP Home users.

Combining Shared Folder and NTFS Permissions

If you choose to apply both shared folder and NTFS permissions to a folder, you need to consider which permissions will actually apply. For example, let’s say that you granted a user named Paul the shared folder permission Read, and the NTFS permission Full Control. When accessing this folder over the network, the more restrictive permission of the two always applies, in this case Read. However, if Paul were to log on to the system locally, only the NTFS permissions would apply, and he would be granted Full Control. Always keep this concept in mind when attempting to troubleshoot user access to shared folders.

File and Folder Security Using NTFS Permissions

Besides increased system stability, the best reason for choosing Windows XP or Windows 2000 as a desktop OS is the ability to take advantage of the NTFS file system. Unlike FAT and FAT32, NTFS provides the ability to configure file and folder security permissions that apply to both local and remote users. On a Windows XP Home system, NTFS permissions are configured as part of the Simple File Sharing feature looked at earlier, or “old style” as explained in the boxout. The obvious prerequisite to using NTFS permissions is that at least one partition is formatted with the NTFS file system.

Thankfully, a default installation of Windows XP Home or Professional on a new system will use the NTFS file system, but your system being configured with NTFS isn’t a given. The easiest way to tell is to access the properties of a drive (like C) and viewing the information on the General tab. If you’re XP or 2000 system is currently running a different file system (like FAT32), all is not lost. Windows includes a utility to convert FAT32 partitions to NTFS, without losing any existing data. The command to convert drive D from FAT32 to NTFS from the command prompt would be:

convert d: /fs:ntfs

Since only Windows 9X/ME systems cannot access NTFS partitions, be very careful with this command if your system is configured in a dual-boot configuration.

As mentioned, NTFS permissions apply to users both locally and across the network, providing the highest degree of security. Subfolders and files inherit NTFS permissions, so this is also another key consideration. For example, if you were to create a new NTFS partition (say E), all new folders and files would inherit the permissions applied to drive E. Inherited permissions are indicated by the fact that they are “grayed out” and cannot be directly changed by default. Inherited permissions can be copied directly to a file or folder or removed, as explained in the NTFS permission stepped procedure.

The default permission applied to the root of a new drive may not meet your security needs, so be sure to change the default permissions at this level at a minimum. For example, consider granting yourself the Full Control permission to the root of the drive, and then individual users permissions to specific subfolders. One drive that you should not tamper with is the root of drive C, and the Windows folder. Changing the permissions on either of these resources might render your system unusable.