Your network consists of a single Active Directory domain. The network contains five Windows
Server 2008 R2 servers that host Web Applications. You need to plan a remote management strategy
to manage the Web servers. Your plan must meet the following requirements:
• Allow Web developers to configure features on the Web sites
• Prevent Web developers from having full administrative rights on the Web servers
What should you include in your plan?
A.
Configure request filtering on each Web server.
B.
Configure authorization rules for Web developers on each Web server.
C.
Configure the security settings in Internet Explorer for all Web developers by using a Group Policy.
D.
Add the Web developers to the Account Operators group in the domain.
Explanation:
http
://mscerts.programming4.us/windows_server/windows%20server%202008%20%20%20controlling%
20access%20to%20web%20services%20%28part%205%29%20-
%20managing%20url%20authorization%20rules.aspx
Managing URL Authorization Rules
Authorization is a method by which systems administrators can determine which resources and
content are available to specific users Authorization relies on authentication to validate the identity
of a user. Once the identity has been proven, authorization rules determine which actions a user or
computer can perform IIS provides methods of securing different types of content using URL-based
authorization. Because Web content is generally requested using a URL that includes a full path to
the content being requested, you can configure authorization settings easily, using IIS Manager
Creating URL Authorization Rules
To enable URL authorization, the UrlAuthorizationModule must be enabled Authorization rules can
be configured at the level of the Web server for specific Web sites, for specific Web applications, and
for specific files (based on a complete URL path). URL authorization rules use inheritance so that
lower-level objects inherit authorization settings from their parent objects (unless they are
specifically overridden).
To configure authorization settings, select the appropriate object in the left pane of IIS Manager, and
then select Authorization Rules in Features View. Figure 6 shows an example of multiple rules
configured for a Web site.
Figure 6. Viewing authorization rules for a Web site
There are two types of rules: Allow and Deny. You can create new rules by using the Add Allow Rule
and Add Deny Rule commands in the Actions pane The available options for both types of rules are
the same. (See Figure 7) When creating a new rule, the main setting is to determine to which users
the rule applies. The options are:
• All Users
• All Anonymous Users
• Specific Roles Or User Groups
• Specific Users
When you choose to specify users or groups to which the rule applies, you can type the appropriate
names in a command-separated list. The specific users and groups are defined using NET role
providers. This is a standard feature that is available to ASP NET Web developers. Developers can
create their own roles and user accounts and can define permissions within their applications.
Generally, information about users and roles is stored in a relational database or relies on a directory
service such as Active Directory.
In addition to user and role selections, you can further configure an authorization rule based on
specific HTTP verbs. For example, if you want to apply a rule only for POST commands (which are
typically used to send information from a Web browser to a Web server), add only the POST verb to
the rule
Managing Rule Inheritance
As mentioned earlier in this section, authorization rules are inherited automatically by lower-level
objects This is useful when your Web site and Web content is organized hierarchically based on
intended users or groups The Entry Type column shows whether a rule has been inherited from a
higher level or whether it has been defined locally IIS Manager automatically will prevent you from
creating duplicate rules. You can remove rules at any level, including both Inherited and Local entry
types
