Hi, I'm looking for a way to password protect a directory in IIS. I'm aware that the standard answer to this is to create a windows user account for this directory, then give that user read permissions on the directory... but my concern is that by creating a windows user, won't that give them permissions to do stuff like login to the computer (remote desktop), ftp in to the server, and all kinds of other stuff? I.E is there a way to create such a limited user that the only thing they can do is just view a web page in that password protected directory?
No you can restrict the user from being able to do other options. When you create the user in the User Administration panel, there are several options you can set. One is not allowing remote login. I'm a little hazy on how the ftp service works on Windows, but I am sure it can be restricted also. The key is going to be making sure that it doesn't get added to any groups which has access that you don't want that user to have.
You can enable basic authentication for this directory by setting up username and password.
First of all, you have full control over created user. You can easily deny remote login (it's actually denied by default, but don't trust me and check the documentation).
Second, "password protect" thing is not correct approach, cause system has built in way for access control - use that, it's tested and it's reliable.
And for core question: i think you can try to limit user permissions to the level, when they can only login locally and see only one directory. But there is no way to prevent them of having read permissions on Windows folder (for example), as this folder is required for booting the OS and loggin in.
Hi,
It is the standard answer for a reason...It is the best way to do it. A user account is limited by default and does not have permission to remote-in unless you explicitly set it to so don't worry about that. Also the any FTP service should be running in isolation and as such there would be no log-in for the account. If all you wish to do is protect the directory then just make sure it is read-only and that anonymous access is disabled.
Also, creating a user account also has other benefits such as letting you monitor events for the account in the event-log and letting you choose a strong, secure password.
The other way would be to secure the page with a simple log-in cgi script (eg. perl, php, asp, etc) and if you only have one account to add then this would be trivial to do.
If you don't want to use a Windows account, you can develop or purchase an ISAPI filter to load on top of IIS to password protect certain directories.