Removing Users group file system permissions for the Content Manager Explorer leads to a 401 error bringing up the Tridion Sites GUI
000010585|8/15/2019 7:35 PM
SDL Tridion Sites 9.x, SDL Web 8.5
Some security policies may require the removal of the Windows Users group to have permissions removed from the /TRIDION_HOME/web directory. If you do this, the Content Manager Explorer access shows a 401.3 error.
Microsoft IIS core modules have different access requirements depending on the authentication set for the site.
If you use LDAP or Single-Sign On authentication for your Content Manager Explorer, you can remove the Windows Users group and then ensure the following is set on the /TRIDION_HOME/web directory permissions:
Give the above built-in users read access to the directory in question. This will work since the authentication in a SSO/LDAP setup is Anonymous for the CME site in IIS.
But a Windows Authentication setup for the Content Manager Explorer will not work with the above setup with the USERS group removed. The core IIS modules require file system access for Windows Authentication to work.
The recommended solution to remediate this security requirement would be to move to LDAP/SSO authentication if not already and implement the above rights changes on the CME directory.