Notice: This website is an unofficial Microsoft Knowledge Base (hereinafter KB) archive and is intended to provide a reliable access to deleted content from Microsoft KB. All KB articles are owned by Microsoft Corporation. Read full disclaimer for more details.

How to set minimum NTFS permissions and user rights for IIS 5.x or IIS 6.0


This article describes how to set the minimum permissions that are required for a dedicated Internet Information Services (IIS) 5.0, IIS 5.1, or IIS 6.0 Web server. 

↑ Back to the top


The limitation for this article

Warning This article is only valid for dedicated Web servers that use basic IIS functionality, such as serving HTML static content or simple Active Server Pages (ASP) content. The permission requirements that are described in this article are specific only to the basic permissions for a dedicated Web server that is running IIS 5.x or IIS 6.0 . This article does not consider other Microsoft and third-party products that may require different permissions. You can review server and application documentation for specific security requirements. We recommend that you review the related articles that are specific for the roles of your Web server.

↑ Back to the top


Testing steps before the permissions configurations in a production environment

Before you make permission changes on a production Web server, we recommend that you do the following steps:
  1. Run the most current version of the IIS Lockdown Tool. The following programs and services were installed as part of the test suite that was used to test server security after granting the permissions outlined in this article:
    • Index Services
    • Terminal Services
    • Script Debugger
    • IIS
      • Common Files
      • Documentation
      • FrontPage Server Extensions 2000
      • Internet Services Manager (HTML)
      • WWW
      • FTP
  2. Perform the following functional tests:
    • Hypertext documents (HTML)
    • Active Server Pages (ASP)
    • FrontPage Server Extensions, such as connecting, editing, and saving, if FPSE is enabled while you use the Lockdown Tool
    • Secure Socket Layers (SSL) Connections

↑ Back to the top


Grant ownership and permission to the administrator and to the system

To do this, follow these steps:
  1. Open Windows Explorer. To do this, click Start, click Programs, and then click
    Windows Explorer.
  2. Expand My Computer.
  3. Right-click the system drive (this is typically drive C), and then click Properties.
  4. Click the Security tab, and then click Advanced to open the Access Control Settings for Local Disk dialog box.
  5. Click the Owner tab, click to select the Replace Owner on Sub containers and Objects check box, and then click Apply.

    If you receive the following error message, click Continue:
    An error has occurred applying security information to %systemdrive%\Pagefile.sys
  6. If you receive the following error message, click Yes:
    You do not have permission to read the contents of directory %systemdrive%\System Volume Information - Do you want to replace the directory permission - All permission will be replaced granting you Full Control
  7. Click OK to close the dialog box.
  8. Click Add.
  9. Add the following users, and then grant them the Full Control NTFS permission:
    • Administrator
    • System
    • Creator Owner
  10. After you have added these NTFS permissions, click Advanced, click to select the Reset permission on all child objects and enable propagation of inheritable permissions check box, and then click Apply.
  11. If you receive the following error message, click Continue:
    An error has occurred applying security information to %systemdrive%\Pagefile.sys
  12. After you have reset NTFS permissions, click OK.
  13. Click the Everyone group, click Remove, and then click OK.
  14. Open the properties for the %systemdrive%\Program Files\Common Files folder, and then click the Security tab. Add the account that is used for anonymous access. By default, this is the IUSR_<MachineName> account. Then, add the Users group. Make sure that only the following are selected:
    • Read & Execute
    • List Folder Contents
    • Read
  15. Open the properties for the root directory that holds your Web content. By default, this is the %systemdrive%\Inetpub\Wwwroot folder. Click the Security tab, add the IUSR_<MachineName> account and the Users group, and then make sure that only the following are selected:
    • Read & Execute
    • List Folder Contents
    • Read
  16. If you want to grant Write NTFS permission for Inetpub\FTProot or the directory path for your FTP site or sites, repeat step 15.

    Note We do not recommend that you grant NTFS Write permissions to the anonymous account in any directories, including directories used by the FTP service uses. This can cause unnecessary data to be uploaded to your Web server.

↑ Back to the top


Disable inheritance in system directories

To do this, follow these steps:
  1. In the %systemroot%\System32 folder, select all folders except the following:
    • Inetsrv
    • Certsrv (if present)
    • COM
  2. Right-click the remaining folders, click Properties, and then click the Security tab.
  3. Click to clear the Allow inheritable permissions check box, click Copy, and then click OK.
  4. In the %systemroot% folder, select all folders except the following:
    • Assembly (if present)
    • Downloaded Program Files
    • Help
    • Microsoft.NET (if present)
    • Offline Web Pages
    • System32
    • Tasks
    • Temp
    • Web
  5. Right-click the remaining folders, click Properties, and then click the Security tab.
  6. Click to clear the Allow inheritable permissions check box, click Copy, and then click OK.
  7. Apply permissions to the following:
    1. Open the properties for the %systemroot% folder, click the Security tab, add the IUSR_<MachineName> and IWAM_<MachineName> accounts and the Users group, and then make sure that only the following are selected:
      • Read & Execute
      • List Folder Contents
      • Read
    2. Open the properties for the %systemroot%\Temp folder, select the IUSR_<MachineName> account (this account is already present because it inherits from the Winnt folder), and then click to select the Modify check box. Repeat this step for the IWAM_<MachineName> account and the
      Users group.
    3. If FrontPage Server Extension Clients such as FrontPage or Microsoft Visual InterDev are being used, open the properties for the %systemdrive%\Inetpub\Wwwroot folder, select the Authenticated Users group, select the following, and then click OK:
       
      • Modify
      • Read & Execute
      • List Folder Contents
      • Read
      • Write

↑ Back to the top


NTFS permissions

The following table lists the permissions that will be applied when you follow the steps in the "Disable inheritance in system directories" section. This table is for reference only.

 To apply the permissions in the following table, follow these steps:  
  1. Open Windows Explorer. To do this, click Start, click Programs, click Accessories, and then click Windows Explorer.
  2. Expand My Computer.
  3. Right-click %systemroot%, and then click Properties.
  4. Click the Security tab, and then click Advanced.
  5. Double-click Permission, and then select the appropriate setting from the Apply Onto list.
Note In the "Apply To" column, the term Default refers to "This folder, subfolders, and files."  
Directory Users\Groups Permissions Apply To
%systemroot%\ (c:\winnt) Administrator Full Control Default
  System Full Control Default
  Users Read, execute Default
%systemroot%\system32 Administrators Full Control Default
  System Full Control Default
  Users Read, execute Default
%systemroot%\system32\inetsrv Administrators Full Control Default
  System Full Control Default
  Users Read, execute Default
Inetpub\adminscripts Administrators Full Control Default
Inetpub\urlscan (if present) Administrators Full Control Default
  System Full Control Default
%systemroot%\system32\inetsrv\metaback Administrators Full Control Default
  System Full Control Default
%systemroot%\help\iishelp\common Administrators Full Control This folder and files
  System Full Control This folder and files
  IWAM_<Machinename> Read, execute This folder and files
  Network Full Control This folder and files
  Service   This folder and files
  Users Read, execute This folder and files
Inetpub\wwwroot (or content directories) Administrators Full Control This folder and files
  System Full Control This folder and files
  IWAM_<MachineName> Read, execute This folder and files
  Service Read, execute This folder and files
  Network Read, execute This folder and files
Optional**: Users Read, execute This folder and files

Note If you are using FrontPage Server Extensions, the Authenticated Users or the Users group must have the Change NTFS permission to create, to rename, to write, or to provide the functionality that a developer might have to have from a FrontPage-type of client, such as Visual InterDev 6.0 or FrontPage 2002.

↑ Back to the top


Grant permissions in the registry

  1. Click Start, click Run, type regedt32, and then click OK. Do not use Registry Editor because it does not let you change permissions in Windows 2000.
  2. In Registry Editor, locate and select HKEY_LOCAL_MACHINE.
  3. Expand System, expand CurrentControlSet, and then expand Services.
  4. Select the IISADMIN key, click Security (or press ALT+S), and then select
    Permissions (or press P).
  5. Click to clear the Allow inheritable permissions from parent to propagate to this object check box, click Copy, and then remove all users except:
    • Administrators (Allow Read and Full Control)
    • System (Allow Read and Full Control)
  6. Click OK.
  7. Repeat the steps for the MSFTPSVC key.
  8. Select the W3SVC key, click Security, and then click Permissions.
  9. Click to clear the Allow inheritable permissions from parent to propagate to this object check box, and then remove all entries except:
    • Administrators (Allow Read and Full Control)
    • System (Allow Read and Full Control)
    • Network (Read)
    • Service (Read)
    • IWAM_<MachineName> (Read)
  10. Click OK.

Registry

The following table lists the permissions that will be applied when you follow the steps in the "Grant permissions in the registry" section. This table is for reference only.

Note The acronym HKLM stands for HKEY_LOCAL_MACHINE.
Location Users\Groups Permissions
HKLM\System\CurrentControlSet\Services\IISAdmin Administrators Full Control
  System Full Control
HKLM\System\CurrentControlSet\Services\MsFtpSvc Administrators Full Control
  System Full Control
HKLM\System\CurrentControlSet\Services\w3svc Administrators Full Control
  System Full Control
  IWAM_<MachineName> Read

↑ Back to the top


Grant rights in the Local Security Policy

  1. Click Start, click Settings, and then click Control Panel.
  2. Double-click Administrative Tools, and then double-click Local Security Policy.
  3. In the Local Security Settings dialog box, expand Local Policies, and then click User Rights Assignment.
  4. Modify the appropriate policy:
    1. Double-click the policy.
    2. Select and then click Remove for any user who is not listed in the table.
    3. Add any user who is not listed. To do this, click
      Add, and then select the user in the Select Users or Groups dialog box.
Note that because a domain controller policy overrides the local policy, you must make sure that Effective Policy Setting matches Local Policy Setting.

Policies

The following table lists the permissions that will be applied when you follow the steps in the "Grant rights in the Local Security Policy" section.
Policy Users
Log on Locally Administrators
  IUSR_<MachineName> (Anonymous)
  Users (authentication required)
Access this computer from the Network Administrators
  ASPNet (.NET Framework)
  IUSR_<MachineName> (Anonymous)
  IWAM_<MachineName>
  Users
Log on as a Batch Job ASPNet
  Network
  IUSR_<MachineName>
  IWAM_<MachineName>
  Service
Logon as a Service ASPNet
  Network
Bypass Traverse Checking Administrators
  IUSR_<MachineName> (Anonymous)
  Users (Basic, Integrated, Digest)
  IWAM_<MachineName>

↑ Back to the top


References

For more information about how to restore default NTFS permissions for Windows 2000, click the following article numbers to view the articles in the Microsoft Knowledge Base:
266118 How to restore the default NTFS permissions for Windows 2000
260985 Minimum NTFS permissions required to use CDONTS
324068 How to set IIS permissions for specific objects
815153 How to configure NTFS file permissions for security of ASP.NET applications
For more information about the required permissions for IIS 6.0, click the following article number to view the article in the Microsoft Knowledge Base:
812614 Default permissions and user rights for IIS 6.0
 

↑ Back to the top


More Information

This article does not address any one of the specific security requirements of the following server roles or applications:
  • Windows 2000 Domain Controller
  • Microsoft Exchange 5.5 or Microsoft Exchange 2000 Outlook Web Access
  • Microsoft Small Business Server 2000
  • Microsoft SharePoint Portal or Team Services
  • Microsoft Commerce Server 2000 or Microsoft Commerce Server 2002
  • Microsoft BizTalk Server 2000 or Microsoft BizTalk Server 2002
  • Microsoft Content Management Server 2000 or Microsoft Content Management Server 2002
  • Microsoft Application Center 2000
  • The third-party applications that depend on additional permissions

↑ Back to the top


Keywords: kb, kbhowtomaster, kbhowto, kbpending, kbprb, kbquadranttechsupp, kbconsumer

↑ Back to the top

Article Info
Article ID : 271071
Revision : 3
Created on : 4/26/2017
Published on : 3/15/2019
Exists online : False
Views : 505