Copy priv's from one folder to another ?

[Bob]

Is there some way to "copy" a set of priv's from one folder to
another ?

I have Inetpub directories on two drives. One is the original folder
created by the IIS install. The other is a folder on another drive
which is IIS served virtually. There are a myriad of priv's on the MS
created folder related to the myriad of components that now get
installed on top of IIS.

I am having some problems with the virtual server that are related to
priv's. If I could copy the priv's from the original dir to the new
dir it would greatly reduce my work. If necessary, I could re-create
the virtual from scratch if there are tricks I could use with that
strategy.

Thanks,

 

[Roger Abell [MVP]]

I never use the inetpub\wwwroot directory and also find its
default permissions not the best.

It depends on what your specific IIS configuration is, especially
for authoring of content, but just to serve out static content for an
example all that you do need on the content area is Administrators
Full control (really not even necessary) and read/list for the Iusr_
account if website is an anonymous access site. Then, you need
to adjust based on specifics of the web applications in use and on
your content authoring model.

 

[Bob]

I never use the inetpub\wwwroot directory and also find its
default permissions not the best.

It depends on what your specific IIS configuration is, especially
for authoring of content, but just to serve out static content for an
example all that you do need on the content area is Administrators
Full control (really not even necessary) and read/list for the Iusr_
account if website is an anonymous access site. Then, you need
to adjust based on specifics of the web applications in use and on
your content authoring model.

Roger:

I have figured out the basic priv's. based on my knowledge gleaned
back in IIS 4 when priv's were fairly simple. I have page serving,
asp, and cgi execution working properly.

The basic issue now is Front Page authoring. The server is stand
alone, no AD, authentication is user/password matching from Win
clients. I am logged into a client machine using an account that is
part of the administrator group on the server. I have full access to
anything on the server, including shared admin drives. Still, I can't
access the "web sites" through MS Front Page on the virtual site - I
get a priv violation (I think, some of these messages can be obtuse).
The main site works fine.

Can you point me at what priv's I need to do authoring on the virtual
site (I tried Authdiag.msi - left me more confused than when I started
.

Thanks,

 

[Bob]

Can you point me at what priv's I need to do authoring on the virtual
site (I tried Authdiag.msi - left me more confused than when I started
.

OK... following my own post

I managed to get it to work somewhat by uninstalling the FP
extensions, giving the SYSTEM privs to the Inetpub folder, and
reinstalling FP extensions (They gave a priv error on the re-install
even though I was signed on as an admin and admin had full control to
the directories - go figure .

I can now access the virtual through Front Page but it still prompts
me for a user/pass instead of using the network credentials. Any
thoughts on that?

Thanks,

 

[Bob]

OK... following my own post

And my last self followup... managed to get it working... the last bit
was not a priv problem. Zone Alarm was on "prompt" when FP asked to
act as a server but ZA didn't prompt and FP didn't wait... it just
failed with a problem that looked like a priv issue.

All working now.

 

[Roger Abell [MVP]]

That last part can also happen from config of IE security settings,
disabling its presenting of Windows credentials automatically.

FrontPage permissions are a giant pain. The FPSE overallocate,
which is not a problem if you have only trusted authors and are
not sharing one server with multiple different web owners.
There are all sorts of little "issues", most centering around the
_vti_log dir of the root web, and the _vti_txt, _vti_cfg of all
webs. If you check you will see FPSE if just opting out from
trying to do the right thing and is instead granting change to
Network and Interactive (which pretty much might just as
well have been to Everyone) on/in these.
Another thing to watch out for is inheriteds that propogate
down onto the FPSE managed content areas. FPSE does not
clear the inherited but does add its own as if there were no
inherited (sometimes leading to misordered ACLs). This is
an issue if, as I often do, you have a broad deny inherited over
the content area (such as for IUsr_/IWam_ equivalent accounts
so that one must explicitly take action to block inheritance on
areas where the browsing client should be able to write) since
the FPSE does not lift the inherited (and hence the deny) but
still trying to grant the write on its _* autogenerated directories
for some of the bot driven crap, I mean featureset.

Good luck

 

[Bob]

If you check you will see FPSE if just opting out from
trying to do the right thing and is instead granting change to
Network and Interactive (which pretty much might just as
well have been to Everyone) on/in these.

This on one of my beefs (and a lot of other folks I know) with IIS in
general these days. I set up a new 2003 server, no apps at all except
IIS and FP extensions, ASP allowed. No less than 6 accounts had some
level of access to Inetpub/wwwroot. Trying to set up a virtual dir
that mimics that enough so that it works properly ... and not having
time to make a career of IIS and related module permissions, is a real
pain. It should not be this difficult.

 

[Roger Abell [MVP]]

Agreed, except do not put this on the IIS team.
What you experience is totally due to the FPSE which back then
was totally within the Office team and outside of control by the
IIS group. Believe me, up to the point where WSS efforts made
MS effectively named FPSE dead I was pushing them at every
turn to do something about the FPSE permissioning embarassment.

 

[Bob]

Agreed, except do not put this on the IIS team.
What you experience is totally due to the FPSE which back then
was totally within the Office team and outside of control by the
IIS group. Believe me, up to the point where WSS efforts made
MS effectively named FPSE dead I was pushing them at every
turn to do something about the FPSE permissioning embarassment.

Well, at the same time, IIS permissioning is still a nightmare due to
the myriad of permissions that seem to have to be set on all sorts of
objects on the system with the other components that have to run to
support IIS, windows, and other MS middleware.

Windows is a spaghetti nightmare of "integrated" modules and
permissions. And the "integration" is all by MS's design at the
expense of maintenance and security.

Windows is the anti-Christ.