Need to allow outsider to ONLY to edit IIS

We have a small domain with approx 50 users.

We have a member server (Win 2000) that mainly used for file sharing. We
have installed IIS on this server and have been using it to work on
designing a new web site. The web site is NOT on-line.

Now we are hiring a consultant to design a web site. So I need to allow him
to VPN into our network and have access to our file/web server. He must not
have access to any of the normal shares either on this server or on the rest
of the domain. Be he needs to do anything he needs to regarding IIS.

How do I set that up? Is the first step putting his account in the Guest
group. I'm concerned because many of our shares are accessible to
"Everyone".

Please advise.

"Georgia Sam" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> Now we are hiring a consultant to design a web site. So I need to allow
him
> to VPN into our network and have access to our file/web server. He must
not
> have access to any of the normal shares either on this server or on the
rest
> of the domain. Be he needs to do anything he needs to regarding IIS.

Create and use a Local user account on the IIS machine instead of a Domain
account. Configure NTFS permissions accordingly.

You cannot create the kind of broad/narrow/specific/unspecific access you
are decribing. You can't give him "anything regaurding IIS" (what does that
even mean?) without giving him Remote Control similar to PCA or Remote
Desktop, but if he has that, then he can access anything else on the server
as well.

> How do I set that up? Is the first step putting his account in the Guest
> group. I'm concerned because many of our shares are accessible to
> "Everyone".

Stop doing it that way. That is horrible even if you weren't in this
particular situation.

--
Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com
-----------------------------------------------------
Understanding the ISA 2004 Access Rule Processing
http://www.isaserver.org/articles/IS...cessRules.html

Microsoft Internet Security & Acceleration Server: Guidance
http://www.microsoft.com/isaserver/t...dance/2004.asp
http://www.microsoft.com/isaserver/t...dance/2000.asp

Microsoft Internet Security & Acceleration Server: Partners
http://www.microsoft.com/isaserver/partners/default.asp
-----------------------------------------------------

"Phillip Windell" <@.> wrote in message
news:(E-Mail Removed)...
> > How do I set that up? Is the first step putting his account in the
Guest

No you don't use Guest.

--
Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com
-----------------------------------------------------
Understanding the ISA 2004 Access Rule Processing
http://www.isaserver.org/articles/IS...cessRules.html

Microsoft Internet Security & Acceleration Server: Guidance
http://www.microsoft.com/isaserver/t...dance/2004.asp
http://www.microsoft.com/isaserver/t...dance/2000.asp

Microsoft Internet Security & Acceleration Server: Partners
http://www.microsoft.com/isaserver/partners/default.asp
-----------------------------------------------------

Hi George,

The most straight foward way would be to get the site online. This will
allow the you to install whatever developer extensions (this is an MS board
so I will mention FrontPage Extensions) the consultant wants to use and not
have this person getting access into your network.

If security is an issue there are four things that can make this a
relatively painless task.

Create a local user acount on the server for the web developer and explicity
deny that account access to all directories that you want to block it from.

Switch up the port on the site to something other 80.

Map the new port number through a security device (firewall or NAT) that is
externally accessible so that you are only exposing one service to the
outside world.

Turn off anonymous access during Dev.

That is if you want to have the devlopment done a live server.

However , I should point out that a competent web developer should be able
to stage the site on any machine and should prefferably do all the work on
thier own system. They should offer some kind of access to the client to
approve the work as the project develops. They can then deliver the content
on a portable media (cd or dvd works great) and do the final upload and
configuration in a single day.

If they tell you it will take more than a day to simply upload content and
configure IIS they are probably messing with ya. It may take several days to
get a more active site configured if you are using a lot of active content
and custom developed web apps or using a back end database as a content
repository or as an intergral part of the sites functions.




"Georgia Sam" wrote:

> We have a small domain with approx 50 users.
>
> We have a member server (Win 2000) that mainly used for file sharing. We
> have installed IIS on this server and have been using it to work on
> designing a new web site. The web site is NOT on-line.
>
> Now we are hiring a consultant to design a web site. So I need to allow him
> to VPN into our network and have access to our file/web server. He must not
> have access to any of the normal shares either on this server or on the rest
> of the domain. Be he needs to do anything he needs to regarding IIS.
>
> How do I set that up? Is the first step putting his account in the Guest
> group. I'm concerned because many of our shares are accessible to
> "Everyone".
>
> Please advise.
>
>
>

On Thu, 30 Jun 2005 13:50:19 -0500, "Georgia Sam"
<(E-Mail Removed)> wrote:

>We have a small domain with approx 50 users.
>
>We have a member server (Win 2000) that mainly used for file sharing. We
>have installed IIS on this server and have been using it to work on
>designing a new web site. The web site is NOT on-line.
>
>Now we are hiring a consultant to design a web site. So I need to allow him
>to VPN into our network and have access to our file/web server. He must not
>have access to any of the normal shares either on this server or on the rest
>of the domain. Be he needs to do anything he needs to regarding IIS.
>
>How do I set that up? Is the first step putting his account in the Guest
>group. I'm concerned because many of our shares are accessible to
>"Everyone".

Post to fewer, more relevant groups.

Never grant membership to Guest or Everyone for accounts you want to
secure.

To use the IIS MMC, he has to be a web site operator. Whether this is
something that's required is something you need to decide.

Personally, to design a web site, I'd set up FTP access to the web
site root and leave him out of everything else. But you may have a
different definition of "design a web site" than I do.

Jeff

I am pretty much with Jeff's guidance on this.
While I do not like and avoid FTP (as compared to secure FTP)
in this case its use would be within a VPN.

Another thing to note is that the web space, if the machine is with
a default install of IIS, likely does have the (FPSE) Front Page
Server Extensions installed. This would give you an alternative
to FTP (which a web designer probably would be less used to).
I deal with this all the time with contracted site designers.
FTP is not allowed on our public facing IIS, but FPSE is
required.
With FPSE you could
1. give the site a unique IP on the machine
2. set the site in IIS to require authentication
3. configure the site as you would in any publishing scenarion,
this, the FTP, use of MS shares, etc. so that it allows the
new machine local account for the consultant does have the
needed NTFS permissions on the web content area
4. Tell the FPSE sharepoint admin interface what you have done
(actually that is where you could set the web for restricted access,
and grant advanced author to the machine local account - which
would drive making the NTFS somewhat like it should be)
5. map a public IP and port Tcp 80 through to the IP of the
web

The problem with the FTP or use of MS shares access pattern is
that the IIS member local account defined for the consultant, and
granted access to the FTP area or the network share, does need
login rights in order to connect with FTP/share, and it sounds like
this will be sufficient for access to the existing shares that are not
effective permissioned at this time. So, as part of the effort,
you would need to review and align the permissions of all shares
hosted on this IIS, and also all machines to make sure none are
using Guest (have it enabled), and that any that are sharing have
their shares effectively permissioned.

--
Roger Abell
Microsoft MVP (Windows Security)
MCSE (W2k3,W2k,Nt4) MCDBA
"Georgia Sam" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> We have a small domain with approx 50 users.
>
> We have a member server (Win 2000) that mainly used for file sharing. We
> have installed IIS on this server and have been using it to work on
> designing a new web site. The web site is NOT on-line.
>
> Now we are hiring a consultant to design a web site. So I need to allow
him
> to VPN into our network and have access to our file/web server. He must
not
> have access to any of the normal shares either on this server or on the
rest
> of the domain. Be he needs to do anything he needs to regarding IIS.
>
> How do I set that up? Is the first step putting his account in the Guest
> group. I'm concerned because many of our shares are accessible to
> "Everyone".
>
> Please advise.
>
>