Enable IIS directory browsing for specific user or group

Question

At home, I have a small server running on Windows Server 2012 and IIS8 (no AD). I want some of the users on my server to be able to access a shared file directory so they can download it via https.

I created a website in the IIS manager, set the base directory to the shared folder, enabled directory browsing for this website, disabled Anonymous Authentication and enabled Windows Authentication. Access from the internet and https with signed certificate are also configured and working.

So far so good. When I browse to my server, I'm asked for my credentials (good). Unfortunately, all of the local server users are allowed to access the folder, even the built-in guest account (bad). Now I want to restrict the access to some of the users who I put in a group called WebFiles Users. So I tried something I know from web programming - I added an authorization tag to the web.config which now looks like this:

<configuration>
    <system.web>
        <authorization>
            <allow roles="MyServer\WebFiles Users" />
            <deny users="*" />
        </authorization>
    </system.web>

    <!-- this was created by the IIS manager: -->
    <system.webServer>
        <directoryBrowse enabled="true" />
    </system.webServer>
</configuration>

But it doesn't work. I can still access the website with the guest user. Can anyone tell me what I've done wrong?

Answer 1

system.web is something that applies to managed asp.net content, not to static files.

You want to use system.webserver instead. The node:

 <configuration>
     <system.webServer>
         <security>
             <authorization>

should cover this.

In IIS Manager, rather than the ASP.NET section, use the IIS section and then the 'Authorization Rules' icon.