May 5, 2001
By creating a new user account
for each person who has access to change things (not for visitors to your
website) on your webserver, you add another layer of security to your server.
Each user account can be added to one of several default user groups from
"Administrator" down to "User". Each user group has a specific level
of authority to access system files and make configuration changes.
However, the user group settings does not control where and what the user
has control over. You have to set this with the NTFS security settings
AND make them FTP and Web operators in the IIS configuration.
For security reasons, it
is a good idea to make the account of the lowest possible value (make them
"Users" not "Administrators") and then use the NTFS and IIS configuration
to give them more access (or limit their access). The user groupings
aren't as useful as you might think in this situation. If you do
not have other people with web space on your server, you probably don't
need to create new accounts.
Also,
you do not need to create user accounts for people to visit your website
anonymously. One is automatically created for you when you install
IIS called "IUSR_servername". The "servername" is the name of your
server. DO NOT delete this account. Without this account, nobody
can visit your website.
Here we will show how to
setup the account and picking a user group.
Start -> Settings -> Control
Panel -> Administrative Tools -> Computer Management
Double click on "Local Users
and Groups". Right click on "Users" and select "New User".
Here you fill out the first
three lines with the user's information. You also set the user's
password. There are four options with the account:
-
User must change password at
next login
-
User cannot change password
-
Password never expires
-
Account is disabled
You can set these as you wish.
In our example, the account
name is "dslcableguest" and the rest is for reference only. After
you are done configuring the settings to your liking, click on "Create".
The computer prompts you
if want to create another account. If you do not, click "Close".
Now we can configure some
of the properties of the account. Right click on the user name you
want to configure and select "Properties". You will see 4 tabs with
several options for you to choose from. This first tab has the same
information that we entered when we first created this account.
This second tab "Members
Of" allows us to make this account a member of several preset groups.
Each group has different levels of authority and privileges for what they
can do to the server. If you are adding an account for somebody who
is going to be a full administrator, then you need to add him/her to the
"Administrator" group. For somebody who has web space and needs web
and FTP access, you should probably leave them in the "Users" group and
instead use NTFS and IIS Configuration to give them access to their section
of the webserver. You don't want to give them Administrative access
since they would then be able to control the whole webserver. You
just want them to have control of their section and NTFS and IIS configuration
is the best way to localize their sphere of control.
However, if you did want
to add them to a different group other than the default "User", click the
"Add" button.
Select the group which you
want them to be a member of and then click "Add". Now you're pretty
much done. Like I said before, don't give your users more privileges
than necessary. I would suggest leaving them as "Users". Only
if you have very specific reasons should you promote them to have greater
privileges. Be careful.
This third tab has more options.
You can leave these alone.
The fourth tab is for "Dial-in"
options for users who dial in and login to your webserver. Set these
accordingly. If you don't have dial in for your users, don't worry
about it.
|
