Problem: a specific Global Security Group can not load ASP pages (but can load HTML pages). Goal: allow access to the secure website files and directories according to Global Group membership. This is a medical industry customer, so HIPAA compliance is mandatory (i.e. file access and restrictions must...

Hi Everyone, I'm trying to secure a Shared Hosting Environment on a Windows 2003 Server / IIS 6 My approche so far: 1) created an Application Pool User for each of the Site (all members of the IIS_WPG Group) 2) created an Application Pool for each Site and assigned them to the Sites 3) assigned the...

Try this blog, I think it would be perfect for your situation: http://www.west-wind.com/WebLog/posts/59731.aspx Nayden

Hello I have windows server 2003 and iis 6.0 and i installed the php zip package successfully( i can list the php info in the command prompt) but when i try to browse a php file in localy in my server or via internet i got this error You are not authorized to view this page The URL you attempted to reach...

I have a new web master who is building a new web server and within IIS6 she is trying to set the accounts for the application pool. In the properties of the web object if she leaves the identity set to predefined then she is able to view the web pages with a browser. If however she changes this to configurable...

This is excatly what I have been doing for a few years, A collegue and I are in the middle of writing it up as a high level design, hopefully if we can remove the corporate references we will publish this as a paper but a few thing to note so far are We use CIFS (windows shares on sep file server for...

At this point I imagine it's an Active Directory thing but I was hoping there was something I could change before I go get the infrastructure team to work on it. - IIS 6.0 is set to use Integrated Authentication with anonymous access disabled. - Permissions for the groups required are set on the...

Are there any known vulnerabilities for SSL 2.0 that would warrant disabling it and only allowing SSL 3.0?

If I want to force SSL v3 for all browser connections to my web server, how would I do that?

I'm hosting multiple web sites on a single server. As a security baseline I assigned a dedicated application pool for every site, each running its own user account for application pool identity. I also want to use Kerberos authentication with all my sites. So, to make Kerberos work, I have to register...