How to set secure NTFS permissions on IIS 5.0 log files and virtual directories in Windows 2000

This step-by-step article describes how to place NTFS permissions on IIS 5.0 log files and virtual directories. Computers that are directly connected to the Internet are under a constant threat of attack. Any computer that is connected to the Internet must be protected to prevent malicious users from taking control of the computer. Because Web servers are the most common server type to be attacked by malicious users, these computers require extra attention.

One of the most powerful security tools that is available on Windows 2000-based computers is the NTFS file system. You can use the NTFS file system to apply access controls on Web server files that are most likely to be attacked. You can apply Access Control Lists (ACLs) to files and folders in the IIS 5.0 Web server hierarchy to help prevent unauthorized users from taking control of your computer.

There are two general groups of IIS 5.0 related files and folders that benefit from secure ACLs:

• IIS Virtual Directories
• IIS Log File Directories

Setting ACLs on Virtual Directories

1. Arrange files types into dedicated directories. You should create directories in the Inetpub\wwwroot\virtual_server hierarchy for the following file types:
   Executable files (.bat, .cmd, .pl, .exe)
   Script files (.asp)
   Include files (.inc, .shtm, .shtm)
   Static content (.jpg, .gif, .htm, .html)
2. For the Executable, Script, and Include file folders, assign the following permissions:
   Everyone (X)
   Administrators (Full Control)
   System (Full Control)
3. For the Static content folders, assign the following permissions:
   Everyone (R)
   Administrators (Full Control)
   System (Full Control)
4. The Inetpub\FTProot and the Inetpub\Mailroot directories typically require anonymous access for read and write. If this is the case in your environment, put these folders on a different disk, and set disk quotas for the Everyone group. This will prevent a denial of service attack from filling up your boot partition, and you will receive a warning when a disk quota is being reached.

Setting ACLs on Log Files

IIS 5.0 log files are located in the \system_root\system32\LogFiles folder. It is important that these log files remain intact and not be altered so that intruders are not able to "hide their tracks" after an intruder tries to compromise the server. ACLs on the IIS services logs should be set as:

Troubleshooting

• By taking advantage of NTFS permissions, you can reduce the chance of Internet intruders from changing key system files that can lead to a compromised Web server.