PRB: Changing Permissions May Cause Web to Be Unavailable
ID: Q165894
|
The information in this article applies to:
-
Microsoft Visual InterDev, versions 1.0, 6.0
SYMPTOMS
With a Web project loaded, changing the Web Permissions to "Use unique
permissions for this Web" and "Only registered users have browse access"
may cause a failure on subsequent project loads. This will be indicated by
the message:
"Unable to open web <WEBNAME>. Server error. Web <WEBNAME> is busy. Try
again later."
CAUSE
This problem occurs only when the server machine is configured so that the
Anonymous User for the machine is also a member of the Administrator's
group. In this case, the standard authentication protocol for any Web
client will first attempt to log on as the Anonymous User. This will result
in all users being logged in to the server as the anonymous user and give
any user administrator privileges.
When "Only registered users have browse access" is selected, then the
anonymous user is removed from the folder permissions for the Web. This
results in a condition where the user will be logged in to the Web project
as the Anonymous User, but will not have read permission to the Web
project. The loading of project information will fail and the server
operation will time out, producing the error message.
RESOLUTION
When the Anonymous User is a member of the administrator group, then any
Web browser client will be able to access the machine as an administrator.
This is inherently insecure, and should be avoided unless dictated by
specific circumstances. The preferred workaround is to remove the Anonymous
User from the Administrators group on the Web machine.
Because browsing permissions are based on the file permissions on the Web
server, the only way to ensure that only registered users have browse
permission is to remove the Anonymous user's read permissions on the file.
If you have added the Anonymous User to the Administrator group on the
machine, then it is possible for any user to work around your security and
read any file on your machine. In this case, the "Only registered users
have browse access" cannot be enforced so the option should be turned off.
This will restore read access to the files and allow the project to be
loaded by Visual InterDev.
STATUS
This behavior is by design.
In Visual InterDev 6.0, using a Web against the FrontPage98 Server
Extensions (included with Visual InterDev 6.0) will yield the following
error message when the "Only registered users have browse access" option is
selected in the User tab from the Web Permissions options.
Permission failure. Server error: FrontPage was unable to restrict
browse access to only registered users since the groups, Everyone,
SERVER\Administrators, contains the account used by your Microsoft
Internet Server to implement Anonymous Logons. Please remove this group
from the list of registered groups and try again.
MORE INFORMATION
Steps to Reproduce Behavior
- On the server machine, add the Anonymous User to the Administrator
group.
- On the client machine, open a Web in Visual InterDev and access the
Project/Web Permissions dialog. Select "Use unique permissions for this
Web" and "Only registered users have browse access."
- Close the Web project.
- Reopen the Web project.
REFERENCES
For the latest Knowledge Base articles and other support information on
Visual InterDev and Active Server Pages, see the following page on the
Microsoft Technical Support site:
http://support.microsoft.com/support/vinterdev/
Additional query words:
Keywords : kbExtension kbFrontPage kbNTOS400 kbServer kbVisID100 kbVisID600 kbWebServer kbGrpASP
Version : WINDOWS:1.0,6.0
Platform : WINDOWS
Issue type : kbprb