File and Directory Access Control Lists (ACLs)

for RuBoard

Just to make sure we are all on the same page, an Access Control List (ACL) ”pronounced in geek circles as "ackle" ”is exactly what it sounds like. An ACL is a list of SIDs or Security Identifiers; these identifiers can belong to users, resources (such as a machine), and rights. Based on user accounts, this can include machine accounts, system accounts, files, and so on. Permissions and roles are established that determine what happens when an authenticated user makes a request. Just remember that it is quite difficult to authorize a user until that user has been authenticated so that you have an identity; otherwise , you're just authorizing the anonymous user.

In Windows 2000, the most familiar ACL interface tool is the Active Directory Users and Computers applet. When you open this program ”or in the Computer Management applet under Local Users and Groups ”the content of the detail pane is the ACL for that domain or machine. This is where you establish groups that can do certain functions and establish default file and directory access permissions. Of course, right-clicking a file or directory and selecting properties will allow you to set rights to a specific item very efficiently . Because of the tight integration of Internet Information Services (IIS) and Windows 2000/NT, permissions that you set on the OS level can be carried over to the .NET application level as well. For example, if you set permissions on a file that only people of the Domain Users group can access, members of the Guests group ( IUSR_< MACHINENAME > , for example) will not have access to the resource. To begin really understanding this process, start with Chapter 14. Now comes the part that causes some confusion. Web permissions can be set independently of NTFS permissions. Web permissions apply to all users of your site, including FTP users.

NOTE

Web permissions are stored within the IIS Metabase. Perhaps the easiest way to access these settings is through the MetaEdit tool available in the Windows 2000 Server Resource Kit.


NTFS permissions apply to users of a domain and the groups they may belong to and cannot be applied unless a user is authenticated. Again, if Windows authentication is used, ACL permissions override all other forms of setting permissions, including settings in config files such as web.config and system.config .

Programmatically, ASP.NET handles file and directory ACL requests through the FileAuthorizationModule class that is activated when you use Integrated Windows Authentication. It automatically performs an ACL check to see if the user has permissions to use the resource.

NOTE

Keep in mind that to use Windows ACLs on the Internet with IIS, you must be using the NTFS file system. Because Windows XP has built-in support for this, even the Home Edition, unless supporting legacy Win9x on a dual-boot machine, there really is no reason not to convert. The security features available alone are worth the reboot. Consult the Windows Help files on your specific operating system version for information on converting to NTFS and the command-line application CONVERT. Another point on this is that if Web permissions are set differently than NTFS permissions (explained in the next section), the more restrictive permissions prevail.


for RuBoard


. NET Framework Security
.NET Framework Security
ISBN: 067232184X
EAN: 2147483647
Year: 2000
Pages: 235

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net