Hi Thomas,
Thank you for posting in MSDN managed newsgroup!
From my experience on this issue, Id 'suggest you can use the windows authentication method of web dav folder to solve this issue. You can type
"inetmgr"(without quotation) in start->run. Please click to the web dav folder properties window. In the Directory security tab, please select the
"windows integrated authentication" which will take advantage of the windows user acccount management.
This way, you can create one or several account group(s) for your web dav users in the windows user account manager which will be very simple
for your account management. You can type "lusrmgr.msc"(without quotation) in start->run to start the manager. Based on your scenario, create
accounts and specify them into different account group.
After all that settings, I'd suggest you may configure the webdav folder with the following steps.
// steps begin
1. check the security property of your web dav folder through right-clicking the webdav folder and selecting the properties
2. in the pop-up window, choose the security tab.
Please ensure that only system account is added into the "Group or user names" listbox(we also call this "access control list"[ACL]. For
abbreviation, I will call the "Group or user names" list box as ACL). If not, remove all other account. Generally speaking, windows will not let you to
delete the accounts in the ACL because the user accounts is inherited from the parent folder by default. You can press the "Advanced" button in
the security tab, then in the "Advanced security Settings for <foldername>" window, dis-select the "Allow inheritable permissions from ..." item and
select "remove" button in the warning window. After that, all the accounts in the ACL will not be removed until you click the ok button of
"Advanced security Settings for <foldername>" window.
When go back to the security tab of property window, you can add "<your computername>\system" into the ACL through clicking the add...
button. Based on my experience, I'd suggest you grant "Full control" permission to the system account so that some windows service can use this
account to use this folder, for example indexing service will use this account to index the documentation by default.
3. Then add the web dav user group into the ACL which you created before. If the user want to access the web dav folder, he will need to login
into this folder. Then grant the permissions below for this user group.
a)Read & Execute
b)List Folders Controls
c)Read
d)write //we can control the write permission from the IIS mmc . I will focus more on this later.
The four permissions are based on NTFS permission which is provided by windows operating system with the assistance of NTFS format harddisk.
4. After these configuration, please go to the IIS mmc.
5. Go to the property window of webdav folder. In the Virtual Directory tab, you can dis-select the "write" item. This means IIS will deny all the
write request. I illustrate this for you in the simple graph below:
write request || (1) || (2)
---------------->|| IIS checking ||-----------> NTFS checking-----------> file
|| ||success success
If we dis-select the write item in IIS mmc, IIS will directly deny this request in the (1) level. Then the write permission we set in the step 3 will be
useless. This is the reason why I tell you to grant the write permission to the web dav user group(s).
You can also right-click for each file's property window in IIS mmc. Then the request for this file is also the same to the above so that all the write
request for that file will be denied in IIS when all the other files can be written.
// steps end
This way, you will not get the login-in window. However, we can't directly manage the webdav folder with administrator account login even we add
the windows administrators group into the ACL of web dav folder and grant full control to the directory. You may need to terminal to the windows
for the remote manangement.
Please feel free to let me know if you have any further questions.
Does this answer your question? Thank you for using Microsoft NewsGroup!
Wei-Dong Xu
Microsoft Product Support Services
Get Secure! -
www.microsoft.com/security
This posting is provided "AS IS" with no warranties, and confers no rights.
FAQ
Search
Profile
Private Messages
Log in/Register/Password
