|
Have you ever wished you could easily set up password protected areas of your web site
without creating system user accounts? What about moving a password protected website from
Apache to IIS? This article examines a free product that makes both of these
tasks amazingly simple.
The product is IISPassword from a company called Troxo
and it's available for free download from their website: http://www.troxo.com/.
And no this isn't one of those bait and switch deals... it's even free for commercial use!
IISPassword
I'll leave the task of describing IISPassword to Troxo. Here's the quick description from their web site:
IIS password protection of files and folders has always been difficult. IISPassword brings the ease
and power of Apache's htaccess to Microsoft IIS. No longer is there a need for system user accounts
and complex access permissions for maintaining a secure, password protected web site.
IISPassword uses Basic HTTP Authentication for password protecting web sites on IIS, just like htaccess works on Apache. That makes your password protected Apache web site compatible with IIS, and vice versa.
A powerful and intuitive interface makes it possible to password protect a web site in just moments. More advanced settings provide options such as user group management and protection of certain file types.
Download and Installation
For the time and effort of filling out a form with your name and email address, you're rewarded
with an email message that brings you to a download page. The setup file is just under 5 MB and
while the server wasn't lightning fast, it still downloaded fairly quickly.
Running the setup program starts a relatively standard installation process. After the greeting screen you're
prompted to accept the license agreement and then asked if you want to do a typical or custom installation.
The only two options in the custom are to install to a different location and whether or not to register the
ISAPI filter in the global IIS settings, so unless you want to change the location, just run the typical version.
There are really only two things to note about the installation:
It restarts IIS so if you're installing it on a live web server you should do it at an
opportune time when a few seconds of down time won't be noticed.
It installs a utility called LiveUpdate that you can use to check for available updates.
It's a cool utility, but you'll probably want to set it to not run constantly.
Configuration
Those of you who are migrating existing Apache sites don't need to do much in terms of configuration.
Simply upload your content along with your existing .htpasswd and .htaccess files and you should be
good to go. The program automatically picks them up and secures the appropriate files.
For those of you not migrating an existing authentication setup, IISPassword has a nice simple user interface
to help you get started. It's accessed via Internet Services Manager (ISM)
(Start -> Programs -> Administrative Tools -> Internet Information Services) or simply run
C:\windows\system32\inetsrv\iis.msc (or similar depending on the location of your windows directory).
From ISM, right-click the root of your web site and select "Properties". In the resulting
property page, you'll see a new "IISPassword" tab. From there you simply right click on
the folder you want to secure and select "Protect".
You'll see that the folder now has a little symbol indicating that it is secured. Now in order to
access it you'll need a user name and password. To set one up simply click the "Add..." button
under the list of users and enter a user name and password. You can also enter a title that will be displayed
in the authentication box when it pops up. I just entered "Enter Login Info!".
That's all there is to getting it up and running. You can obviously set up a much more advanced configuration,
but that's all you need to do to get started. Explaining all the available .htaccess system directives is
beyond the scope of this article, but if you're looking for information about additional configuration
directives, start with the help file. It's not anything spectacular, but it is well written and should answer
most of your questions.
For those of you looking to automate the process of creating user accounts, IISPassword also includes a
command line tool called UserLine for creating user lines and optionally adding them to password files.
What the Users See
Now that we've secured our content, let's try and get to it. Here's what we see when we request a secured document.
Notice that the "Enter Login Info!" that we entered earlier is here to greet us.
When we enter invalid login info we're bounced to an error message telling us that we're not allowed in.
I'm not terribly happy that this screen tells users the product that we're using, but it seems that you can
avoid this simply by editing the HTML files in the "ErrorDoc" subfolder of the installation directory.
You'll also need to restart IIS for it to pick up changes to these files. I'm not sure how supported this is,
but it seemed to work fine for me. Just in case, you should be sure to make a backup of the originals in case
you need them.
When we enter a valid user name and password we're served the requested document without any further delay.
Conclusion
While it's certainly not for everyone, if you're looking for a way to secure content without setting up system level
user accounts or need to move sites involving authentication from Apache to IIS and vice versa, it's certainly worth giving
IISPassword a look. It's a great little product and you certainly can't beat the price.
For more information, check out the following links.
|
