This section discusses how Internet Information Server authentication and Windows NT user accounts and global groups are used at Terra Flora to provide selective access to files served through Internet Information Server.
An overview of Terra Flora's use of Windows NT groups to provide selective access is shown in Figure 5.9.
Figure 5.9 Controlling access to files by using Windows NT groups
Although Figure 5.9 depicts a single directory structure for simplicity, directories can reside on other disks or even on other network shares.
The Anonymous access layer of Figure 5.9 demonstrates anonymous access to the root directories provided by using the anonymous account specified on the Service tab in the WWW Service Properties dialog box.
In this Terra Flora scenario, Internet Information Server is installed on a stand-alone member server, CANTS40DIV01. The default anonymous account, IUSR_CANTS40DIV01, is a local user account. Because the server will access directories on network computers in the California domain, the account is added to the California domain by using User Manager for Domains, as shown in Figure 5.10. Adding the local account IUSR_CANTS40DIV01 to the California domain enables computers in that domain to authenticate access by Internet Information Server.
Figure 5.10 Accounts and global groups used at Terra Flora in User Manager
Alternatively, you can create a new account in the California domain for anonymous access and specify that account in Internet Service Manager on the Service tab in the WWW Service Properties dialog box.
The Basic authentication layer of Figure 5.9 demonstrates using Basic authentication and Windows NT groups to control access to subdirectories.
In Terra Flora, each department provides some information to the entire company, such as current project plans or an employee directory. However, each division or department also uses material that only its members should have access to.
To provide selective access, global groups are created for each division (Nursery, Retail, and Supply) by using User Manager on the primary domain controller, CANTS40ENT03. The Log On Locally user right is added to every user or group that will use the IIS server, as shown in Figure 5.11.
Figure 5.11 Assigning rights to groups in User Manager
You must also give the division groups read access to the directories. To do this, right-click the folder in Windows NT Explorer, then click Properties to specify group permissions in the Directory Permissions dialog box shown in Figure 5.12.
Figure 5.12 Designating the security properties for a directory
To complete the security configuration, Terra Flora appoints a webmaster in each division to control content on the servers. The Webmasters group is created and populated with the three division webmasters. Only the Webmaster group is given full control to the entire directory structure.
For more information about adding global groups to a domain and adding user rights to user accounts and groups, see Windows NT Server Concepts and Planning.
The Challenge/response authentication layer in Figure 5.9 demonstrates access that is granted to managers only by using Windows NT challenge/response authentication. A global group named Managers is created and populated with the user accounts of individual managers.
Read permission on all the budget information files is granted to the group named Managers. Full Control permission on individual files is granted to the individual manager responsible for the file.
The use of Windows NT groups demonstrated in this section is scalable and can be expanded to suit your business.
For more information about domain user accounts, local accounts, and the IUSR_computername account, see Chapter 3, "Server Security on the Internet."