PRB: Changing Permissions May Cause Web to Be Unavailable

ID: Q165894


The information in this article applies to:
  • Microsoft Visual InterDev, versions 1.0, 6.0


SYMPTOMS

With a Web project loaded, changing the Web Permissions to "Use unique permissions for this Web" and "Only registered users have browse access" may cause a failure on subsequent project loads. This will be indicated by the message:

"Unable to open web <WEBNAME>. Server error. Web <WEBNAME> is busy. Try again later."


CAUSE

This problem occurs only when the server machine is configured so that the Anonymous User for the machine is also a member of the Administrator's group. In this case, the standard authentication protocol for any Web client will first attempt to log on as the Anonymous User. This will result in all users being logged in to the server as the anonymous user and give any user administrator privileges.

When "Only registered users have browse access" is selected, then the anonymous user is removed from the folder permissions for the Web. This results in a condition where the user will be logged in to the Web project as the Anonymous User, but will not have read permission to the Web project. The loading of project information will fail and the server operation will time out, producing the error message.


RESOLUTION

When the Anonymous User is a member of the administrator group, then any Web browser client will be able to access the machine as an administrator. This is inherently insecure, and should be avoided unless dictated by specific circumstances. The preferred workaround is to remove the Anonymous User from the Administrators group on the Web machine.

Because browsing permissions are based on the file permissions on the Web server, the only way to ensure that only registered users have browse permission is to remove the Anonymous user's read permissions on the file. If you have added the Anonymous User to the Administrator group on the machine, then it is possible for any user to work around your security and read any file on your machine. In this case, the "Only registered users have browse access" cannot be enforced so the option should be turned off. This will restore read access to the files and allow the project to be loaded by Visual InterDev.


STATUS

This behavior is by design.

In Visual InterDev 6.0, using a Web against the FrontPage98 Server Extensions (included with Visual InterDev 6.0) will yield the following error message when the "Only registered users have browse access" option is selected in the User tab from the Web Permissions options.

Permission failure. Server error: FrontPage was unable to restrict browse access to only registered users since the groups, Everyone, SERVER\Administrators, contains the account used by your Microsoft Internet Server to implement Anonymous Logons. Please remove this group from the list of registered groups and try again.


MORE INFORMATION

Steps to Reproduce Behavior

  1. On the server machine, add the Anonymous User to the Administrator group.


  2. On the client machine, open a Web in Visual InterDev and access the Project/Web Permissions dialog. Select "Use unique permissions for this Web" and "Only registered users have browse access."


  3. Close the Web project.


  4. Reopen the Web project.



REFERENCES

For the latest Knowledge Base articles and other support information on Visual InterDev and Active Server Pages, see the following page on the Microsoft Technical Support site:

http://support.microsoft.com/support/vinterdev/

Additional query words:

Keywords : kbExtension kbFrontPage kbNTOS400 kbServer kbVisID100 kbVisID600 kbWebServer kbGrpASP
Version : WINDOWS:1.0,6.0
Platform : WINDOWS
Issue type : kbprb


Last Reviewed: November 8, 1999
© 2000 Microsoft Corporation. All rights reserved. Terms of Use.