Set Up the Web Site Security

The newsletter page of this server will be password-protected. This means that everyone who accesses that page will need to provide a username and password to access the site. To set this up, you need to perform the following tasks.

Create a User Account

When a user signs up, you can create an account on the web server for that user and e-mail the user their username and password. You can create a group as well to make NTFS permissions easier to manage.

Creating the Group

Here’s how to create a group:

1. Open the Computer Management MMC.

2. Highlight Groups under Local Users and Groups.

3. Choose Action | New Group.

4. Type in the name of the group: BeerBrewers Newsletter Group.

5. Click Create.

Creating the Users

Now we’ll create a user for the group:

1. In the MMC, highlight Users under Local Users and Groups.

2. Choose Action | New User.

3. Type in the username and password for the new user.

4. Uncheck the User Must Change Password At Next Logon checkbox.

5. Click Create.

Adding a User to the Group

Here’s how to add a new user to the group:

1. In the MMC, open Groups under Local Users and Groups.

2. Double-click the BeerBrewers Newsletter Group.

3. Click Add.

4. Choose the user account you wish to add to this group.

5. Click OK, and then click OK again.

Set Up NTFS Permissions

After you have created the group, you will need to assign that group the rights to the file system. We assigned the anonymous group rights earlier; now it’s time to add the beerbrewers site group to the list. You need to add the group only to the file(s) that you want secured. In this case, it’s newsletter.htm.

1. In Windows Explorer, locate the newsletter.htm file.

2. Right-click the file, and choose Properties.

3. Open the Security tab.

4. Click Add.

5. Locate the BeerBrewers Newsletter Group.

6. Click OK.

7. Grant the BeerBrewers Newsletter Group read and execute permissions to the file.

8. Click OK.

Set Up the Authentication Options

Now that the NTFS permissions are set, it’s time to set up the security options in IIS. These permissions will need to be set up for both the test and production sites here, so you’ll need to perform this procedure twice.

1. Open the IIS MMC and locate the newsletter.htm file.

2. Right-click the file, and choose Properties.

3. Open the File Security tab.

4. Click the Edit button under Authentication And Access Control.

5. Uncheck the Enable Anonymous Access option.

6. For this site, we’ll use Basic authentication only, so check Basic Authentication, and uncheck Integrated Windows Authentication.

7. Click OK once; this will keep the File Security tab open.

Stop right there!

You: Hey, wait, a sec. Isn’t basic authentication really bad because it sends the plaintext password?

Me: Normally, yes. But, we have a certificate! All the traffic to this page will be encrypted.

You: OK, we do have a certificate, but how do you force people to use that?

Me: That’s next.

Here’s how to force SSL so we’re not sending plaintext passwords around the Internet:

1. Click the Edit button under Secure Communications.

2. Click the option to Require Secure Channel (SSL).

3. If you want, you can require 128-bit encryption, but that will mean that browsers that don’t have 128-bit encryption installed will not be able to access the site.

4. Click OK.

5. Click OK again.

Now this file will be password protected, and the password will be protected, too.