2

I'd like to add basic authentication to a website in IIS, https only. For this I need to create a Windows user. It is important that this user can access nothing other than this website. So I need to add him to Deny log on locally & Deny log on through Remote Desktop Services in Local Computer Policy.

However I cannot add him to Deny access to this computer from the network or he can't access the website. Microsoft says about this permission:

Users who can log on to the device over the network can enumerate lists of account names, group names, and shared resources.

Users with permission to access shared folders and files can connect over the network and possibly view or modify data.

What can I do to create a user that I can be 100% sure can only access this website and absolutely nothing else?

Community
  • 1
  • 1
wezten
  • 2,126
  • 3
  • 25
  • 48

2 Answers2

0

To address your concern about the "Deny access to this computer from the network" policy, that shouldn't prohibit the account from be used to authenticate with the website since "access from the network" doesn't include the HTTP/S protocol and WWW service. Therefore, you can add the basic auth user account to the "deny access" policy as desired.

Sources...

https://www.itprotoday.com/compute-engines/understanding-access-computer-network-user-right

"Despite the broad-sounding name, the 'Access this computer from the network' user right applies only to the Server service and the resources it provides. The Server service primarily provides remote access to files and printers but also provides remote access to the resources you see in the Microsoft Management Console (MMC) Computer Management snap-in, including event logs, shared folders, local users and groups, logical disk management, and applications that use named pipes. However the Access this computer from the network user right has no effect on services such as World Wide Web Publishing, Telnet, and Terminal Services. To control access to these services, you must implement security settings specific to each service as necessary."

https://learn.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/access-this-computer-from-the-network

"The Access this computer from the network policy setting determines which users can connect to the device from the network. This capability is required by a number of network protocols, including Server Message Block (SMB)-based protocols, NetBIOS, Common Internet File System (CIFS), and Component Object Model Plus (COM+)."

Hope this helps.

Mark J
  • 106
  • 4
  • I tried it, however as soon as the user was denied this permission, it could no longer access the website. – wezten May 27 '19 at 07:06
  • Could you confirm that "Windows Authentication" is disabled for your site under the IIS Authentication settings? – Mark J May 27 '19 at 08:05
  • I don't have 'Windows Authentication' as an option, guess it's not installed. – wezten May 28 '19 at 12:55
0

Maybe you should use another account type. User account type should only be used for real humans (and for buggy applications).

https://learn.microsoft.com/en-us/windows/security/identity-protection/access-control/service-accounts

https://learn.microsoft.com/en-us/iis/manage/configuring-security/application-pool-identities

K. Frank
  • 1,325
  • 1
  • 10
  • 19
  • The former seems specifically for services. For the latter I can't see how to give the identity a password, using it for basic authentication. – wezten Jun 29 '19 at 19:21
  • Managed service accounts can be used for nearly all kinds of things, including scheduled tasks and IIS App Pools: https://hansstan.wordpress.com/2017/07/05/using-group-managed-service-accounts-with-iis/ – K. Frank Jun 29 '19 at 21:03
  • I couldn't figure out from your articles how to actually create the service accounts, and use them for basic authentication. Gave you the bounty, since it might work. – wezten Jun 30 '19 at 19:33
  • Maybe https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/jj128431(v%3Dws.11) or https://learn.microsoft.com/en-us/powershell/module/addsadministration/set-adserviceaccount?view=win10-ps can help you if you need further information. – K. Frank Jul 01 '19 at 07:58