000025209 - How to implement group security to limit access to web pages by Windows groups.

Document created by RSA Customer Support Employee on Jun 16, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000025209
Applies ToMicrosoft Internet Information Server (IIS)
Microsoft Internet Information Server (IIS) 4.0
Microsoft Internet Information Server (IIS) 5.0
IssueHow to implement group security to limit access to web pages by Windows groups.
CauseAdministrator wishes to limit access by NT or Windows2000 user groups to certain web pages or virtual websites. This goes above and beyond ACE/Agent Host Group Activation. This will allow administrators more flexibility in distributing rights to WebPages by Windows group rights. I.E. Ace Authenticated users that are members of the Administrators group will be able to see all pages on a web server, while users that are members only of the employees group will see only those pages that the Employees NT / Win2k folder security rights allow them access.
ResolutionThere are 4 stages to this procedure:
1. NT / Win2k establish Local groups on the IIS server and assign the appropriate level rights to the folders of your IIS server.
2. On the IIS box Administer the website properties, RSA SecurID tab, Enable group security. See below for more detailed explanation.
    a.        Start your Computer Management console  (or ISM console)
    b.        Under Internet Information Services, select the RSA SecurID tab.
    c.        Under Advanced Settings; check Enable Group Security.
    d.        Click Apply and OK, and exit the console.
3.  On the ACE/Server Edit the user and add in the Default shell field the NT / Win2k group access name observing case sensitivity.
4. On the IIS box open the control panel>> Services (on Win2k services will be found under administrative Tools) and select the World Wide Web Publishing service; Right Click and select Restart. When Service restarts you can now use group protection.

Notes: Group name in the Default shell field is case sensitive, you must use the same case displayed under Windows Security. All users must have group information in the default shell to access pages when Enable Group Security is checked on that Web Site.
Legacy Article IDa6086