Security: User denied access to the current directory because of a security change. Rule

  • ID:  Security__User_denied_access_to_the_current_directory_because_of_a_security_change__1_7_Rule
  • Description:   
  • Target:  IIS 2003 SMTP Server
  • Enabled:  On Essential Monitoring

Overridable Parameters

Parameter Name Default Value Description Override
Priority 1  
Severity 1  

Run As Profiles

Name
Default

Alert Details

Message Priority Severity
Security: User denied access to the current directory because of a security change. Medium Warning

Rule Knowledgebase

Summary

Web or NTFS permissions have changed which control how users accesses your Web content on several levels, from the whole Web site to individual files.

Causes

A change in security is blocking the User from accessing the current directory.

Resolutions

Overview

You can set Web permissions for specific Web sites, folders, and files on your server. Unlike the NTFS file system permissions that apply only to either a specific user or a group of users who have a valid Windows account, Web permissions apply to all users who access your Web site regardless of their specific access rights. NTFS permissions control access to physical directories on your server, whereas Web permissions control access to virtual directories on your Web site.

For example, you can use Web permissions to control whether visitors to your Web site can view a particular Web page, upload information, or run scripts. When you configure both Web permissions and NTFS permissions, you can control how users access your Web content on several levels, from the whole Web site to individual files.

Configure Web Server Permissions for Web Content

To configure Web server permissions for Web content, follow these steps:

  • Click Start, point to All Programs, point to Administrative Tools, and then click Internet Information Services (IIS) Manager.

  • Expand %ServerName%, where %ServerName% is the name of the server, and then expand Web Sites.

  • Right-click either the Web site, the virtual directory, the folder, or the file that you want to set permissions for, and then click Properties.

  • Click one of the following tabs, as appropriate to your situation:

    • Home Directory

    • Virtual Directory

    • Directory

    • File

  • Either click to select or click to clear any of the following check boxes (if present) that are appropriate for the level of Web permissions that you want to set:

    • Script source access: Grant this permission to permit users to access source code. Source code includes scripts, such as scripts in Active Sever Pages (ASP) programs. This permission is only available if either the Read permission or the Write permission is set.

      NOTE: When you use this option, users may be able to view sensitive information, such as a user name and a password, from scripts in an ASP program. They may also be able to change source code that runs on your server. This can seriously affect the security and the performance of your server. You may want to control access to this type of information and to these functions by using individual Windows accounts and higher-level authentication, such as integrated Windows authentication.

    • Read: Grant this permission to permit users to either view or download files or folders and their associated properties. By default, Read permission is selected.

    • Write: Grant this permission to permit users either to upload files and their associated properties to the enabled folder on your server or to change the content or properties of a write-enabled file.

    • Directory browsing: Grant this permission to permit users to view a hypertext listing of the files and the subfolders in the virtual directory. The folder listings do not contain the virtual directories. Users must know the alias of the virtual directory.

      NOTE: A user may receive an "Access Forbidden" error message if the user tries to access either a file or folder on your server and both of the following conditions are true:

      • Directory browsing is disabled.

        -and-

      • The user does not specify a file name such as %Filename%.htm in the Address box.

    • Log visits: Grant this permission to log visits to this folder in a log file. A log entry is recorded only if you enable logging for the Web site.

    • Index this resource: Grant this permission to permit Microsoft Indexing Service to include this folder in a full-text index of the Web site. When you grant this permission, users can query this resource.

  • In the Execute Permissions box, click the option that you want to determine how scripts run on the site. The following options are available:

    • None: Click this setting if you do not want users to run scripts or executable programs on the server. When you use this setting, users can access only the static files such as Hypertext Markup Language (HTML) and image files.

    • Scripts only: Click this setting to run scripts such as ASP programs on the server.

    • Scripts and Executables: Click this setting to run both scripts such as ASP programs and executable programs on the server.

  • Click OK, and then quit the IIS snap-in.

NOTES:

  • When you try to change the security properties of a Web site or virtual directory, IIS checks the existing settings on the child nodes (virtual directories and files) that the Web site or virtual directory contain. If the permissions that are set at the lower levels are different, an Inheritance Overrides dialog box appears. To specify the child nodes that inherit the permissions that you set at the higher level, click the node or nodes in the Child Nodes list, and then click OK. The child node inherits the new permissions settings.

  • If Web permissions and NTFS permissions differ for either a folder or a file, the more restrictive of the two settings is used. For example, if you grant Write permissions to a folder in IIS, and grant Read permissions to a particular user group in NTFS, those users cannot write files to the folder because Read permissions are more restrictive.

  • Disabling permissions restricts access to all the users. For example, if you disable Web permissions (for example, Read permissions) on a resource, none of the users can view that resource, regardless of the NTFS permissions that the users' accounts have. If you enable Web permissions (for example, Read permissions) on a resource, all the users can view that resource unless you also apply NTFS permissions that restrict access to it.

  • When both Web permissions and NTFS permissions are set, the permissions that explicitly deny access take precedence over permissions that grant access.

see also:

http://support.microsoft.com/default.aspx?scid=kb;en-us;816117

External References
This rule does not contain any external references.

See Also for Windows Internet Information Services Management Pack


Downloads for Windows Internet Information Services Management Pack

AZURE OPTIMIZATION ASSESSMENT GET STARTED
MIGRATION TO AZURE GET STARTED
SYSTEM CENTER MIGRATION TO AZURE GET STARTED
MIGRATION TO AZURE FOR SQL AND WINDOWS 2008 GET STARTED