Creating A Staff-Only Site Using Microsofts IIS And Active Directory

By Rollie Hawk

A staff-only page can be useful in any number of scenarios. If for nothing else, there may be links you don’t want showing on your front page but that you want employees to easily access. Even if your regular website is hosted remotely, having a staff site on a local server is a good backup for those days when your ISP crashes, your host is down, or there is a problem If you are working in a corporate environment, creating and removing accounts as employees come and go can take a big chunk of an administrator’s time. Between local logons, email addresses, digital signatures, and other kinds of employee accounts, just keeping track of all of these accounts can be a nightmare. Fortunately, Microsoft’s Active Directory (AD) does a good job of centralizing accounts across an entire corporate network.

In situations where you need a staff-only website, you will usually have to create yet another account for each employee. However, if you are running a Web server running Microsoft’s Internet Information Services (IIS), you can easily extend the usefulness of AD to your staff-only site.

The steps below will outline the steps necessary to create a staff-only site using IIS and AD on a standalone server running Windows 2000 Server. These steps will vary slightly on systems running Windows Server 2003 but should be easy enough to follow.

STEP 1 – Attach the Web server to the local domain
If you are using a standalone server, this won’t be a concern. If the domain controller is on a separate server, however, you may have kept your Web server off the local domain for security reasons. In order to access the AD for authentication via the Web, you’ll need to make sure the Web server is part of the local domain.

You can easily set this by right-clicking on My Computer and choosing “properties.” Choose the Network Identification tab and verify the domain settings.

STEP 2 – Create a directory for your staff-only site
Next, you’ll need to create a directory for your staff-only site if you haven’t already made one. You can make this directory wherever you want, whether inside your site root (the default for IIS is C:\Inetpub\wwwroot) or even on another drive.

STEP 3 – Enable Web Sharing of your directory
The new directory needs to have its Web Sharing set and verified. Depending on where you created it, Web Sharing may already be enabled.

To set this, right-click on the directory’s icon, choose “properties,” and then select the Web Sharing tab. Next to “Share on,” choose the site you want to share this folder on. Fill the bubble next to “Share this folder” and set the alias (e.g. “staff” if you want the page to be aliased as http://yourdomain.tld/staff) and security settings (for read, write, script execution, and so on).

STEP 4 – Enable Directory Security on this new directory
So far, we haven’t done anything to make this new site staff-specific. In order to do that, we’ll need to use IIS’s Directory Security functionality.

To enable this, open up the Information Services Manager and select the directory/alias you just created. From there, right-click, choose “properties,” and click the Directory Security tab.

Under “Anonymous access and authentication control,” click the edit button. On the “Authentication Methods” screen, be sure to deselect the anonymous access checkbox. From there, your settings will depend on your particular security needs. If you aren’t sure, it’s a good idea to deselect “Basic authentication” (since plain-text passwords can easily be sniffed) and choose “Digest authentication” (which is encrypted) and “Integrated Windows authentication” (unless you expect to use something else).

STEP 5 – Set additional security properties
If everyone with an AD account should have access to your staff-only site, the last step will have you ready to go on Windows 2000 Server (where the “Everyone” group is given access by default). If you need to be a little more selective, such as limiting users by departments or divisions, then you’ll want to change from some of the default security settings.

To set these additional properties, right-click on the directory’s icon, choose “properties,” and then select the Security tab. To limit access to specific users or groups, delete the “Everyone” group and add the users and groups you want to have access to your staff-only site.

Many hosts and developers absolutely refuse to touch Windows and IIS in favor of the stability and security track record of Apache running on Unix-based platforms. Others simply want to stick with what they know best. While the members of those two camps are unlikely to make a wholesale shift to the Windows platform, the simplicity and flexibility of the combination of IIS and AD is enough to at least turn a few heads. Those working in very large corporate environments will be even more tempted by the chance to spend more time on Web administration and less on user administration.