NetResults ProblemTracker
Applying Security Using IIS 6.0 (Windows Server 2003)

Overview

Microsoft Internet Information Services (IIS) 6.0 bundled with Microsoft Windows Server 2003 uses Active Directory, ADSI, WMI, and Directory Services to set/read permissions to provide security for the web pages. IIS 6.0 uses the native security features of the NTFS file system and Active Directory Users and Computers (or Computer Management Console) to provide security for web pages. In order to password protect ProblemTracker on this web server you must install it on an NTFS file system. Microsoft Windows Server 2003 provides tightly integrated and flexible security. Thus the security permissions on the Windows Server 2003 directories are very restrictive by default.

Instructions

The following instructions assume a workgroup named pteval is installed. For your workgroup, substitute your workgroup name for "pteval" in the steps below.

Enable Password Protection

  1. Start the Internet Services Manager (Start -> Programs -> Administrative Tools -> Internet Services Manager).
  2. Double click on the computer/domain name under the folder "Internet Information Services".
  3. Double click on "Web Sites". Select the Default Web Site or a Web Site in which the ProblemTracker virtual directories (e.g. ptdev) are created.
  4. Double click on the content directory folder (e.g. "pteval") in the left window pane. The files included in the pteval folders are displayed in the right window pane.
  5. For each file or folder that you would like to password protect, repeat the following steps:
    1. Right click on the file or directory. A pull down menu appears. Select Properties.
    2. Select the File Security (or Directory Security) tab.
    3. Click on the Edit... button in the Authentication and Access Control.
    4. Uncheck the box for Enable Anonymous Access
    5. Check the box for Basic Authentication. A warning dialog box will pop up. Select "Yes".
    6. Type the appropriate domain for your web server in the default domain box.
    7. If desired, select Integrated Windows authentication (Note: this method of authentication is only supported by Internet Explorer).
    8. Click Apply and then OK in the Properties dialog box.

Set File/Directory Security on Windows Server 2003

The following procedure provides the steps for setting the file permissions for use with Basic and Integrated Windows Authentication.

  1. Refer to the Default Security table in the Web Server Security Overview section for the permissions required for users to access ProblemTracker. For all users that need to access ProblemTracker workgroups (e.g. "pteval"), please grant them the permissions listed on the table for the user "PUSR4HOSTNAME". For all users that need to access the Workgroup Management System (WMS), please grant them the permissions listed on the table for "Administrators" (or instead of granting specific permissions simply add these users that need to access WMS to the local Administrators user group on the machine where ProblemTracker is installed). To grant these permissions using the sub-steps below. Without these required permissions, users may encounter errors when trying to use ProblemTracker or the Workgroup Management System with basic and/or Integrated Windows authentication enabled.
    1. Start the Windows 2003 Explorer (Start -> Programs -> Accessories -> Windows Explorer)
    2. Select the directory referenced in the Default Security table
    3. In the right pane of the Explorer, select the directory or file(s) you would like to limit access to. You can select multiple items by holding down the CTRL key on your keyboard as you click on files.
    4. With the files or the directory highlighted, go to the File -> Properties menu or right click and choose the Properties menu, then click on the Security tab of the dialog
    5. By default "PUSR4<HOSTNAME>" where <HOSTNAME> is the TCP/IP name of the server where ProblemTracker is installed will have all the check boxes checked (and grayed) under the column Allow and none checked under the column Deny.
    6. Delete the default permission for "PUSR4<HOSTNAME>" and any others that grant access to anyone you do not wish to have access to the selected directory or files, by selecting those users and clicking the Remove button. If you do not wish for an individual to see a web page, make sure the user does not have Read checkbox checked under the column Allow (or if the Read checkbox is checked and grayed then check the Read checkbox under the column Deny) for the file or directory.
    7. Press the Add... button to display the "Select Users or Groups" dialog. Click Object Types... button and make sure that Groups and Users are checked (selected); otherwise, check them and click OK button. To change the "From this location" value, click Locations... button. Select your appropriate machine/domain and click OK. Now, type in the particular user/group (for example "Administrator") you would like to give access the selected directory or files. Click Check Names button to verify whether the user/group names that you typed in are valid. Correct any error reported. You can use the Advanced... button to search for any particular user/group. The users/groups will be listed in the list below. Now click OK to close this dialog. The users/groups chosen will get added to the list. You can grant/deny permissions for each user/group by checking/unchecking the checkboxes under the columns Allow and Deny.
  2. Refer to the ProblemTracker Organization table in the Web Server Security Overview section to determine which content directories and program files you would like to protect based upon function. To grant these permissions using the sub-steps below:
    1. Start the Windows 2003 Explorer (Start -> Programs -> Accessories -> Windows Explorer)
    2. Select the directory referenced in the ProblemTracker Organization table
    3. In the right pane of the Explorer, select the directory or file(s) you would like to limit access to. You can select multiple items by holding down the CTRL key on your keyboard as you click on files.
    4. With the files or the directory highlighted, go to the File -> Properties menu or right click and choose the Properties menu, then click on the Security tab of the dialog
    5. By default "PUSR4<HOSTNAME>" where <HOSTNAME> is the TCP/IP name of the server where ProblemTracker is installed will have all the check boxes checked (and grayed) under the column Allow and none checked under the column Deny.
    6. Delete the default permission for "PUSR4<HOSTNAME>" and any others that grant access to anyone you do not wish to have access to the selected directory or files, by selecting those users and clicking the Remove button. If you do not wish for an individual to see a web page, make sure the user does not have Read checkbox checked under the column Allow (or if the Read checkbox is checked and grayed then check the Read checkbox under the column Deny) for the file or directory.
    7. Press the Add... button to display the "Select Users or Groups" dialog. Click Object Types... button and make sure that Groups and Users are checked (selected); otherwise, check them and click OK button. To change the "From this location" value, click Locations... button. Select your appropriate machine/domain and click OK. Now, type in the particular user/group (for example "Administrator") you would like to give access the selected directory or files. Click Check Names button to verify whether the user/group names that you typed in are valid. Correct any error reported. You can use the Advanced... button to search for any particular user/group. The users/groups will be listed in the list below. Now click OK to close this dialog. The users/groups chosen will get added to the list. You can grant/deny permissions for each user/group by checking/unchecking the checkboxes under the columns Allow and Deny.

WMS Operations that can impact your Custom Security Settings

The Repair, Move, and Upgrade operations that can be performed in the Workgroup Management System can reset the customized security you have applied to the locations listed in the table above. Before you use the Repair, Move, or Upgrade operations, it is recommended that you take note of the security scheme you have applied, then re-apply these changes after using one of those operations.

For more information on the WMS operations, please refer to the following sections in the WMS Help Guide:

Repairing a Workgroup
Moving a Workgroup
Upgrading a Version 3 Workgroup
Upgrading a Version 4 or 5 Workgroup