This article describes how to set the minimum permissions that are required for a dedicated Internet Information Services (IIS) 5.0, IIS 5.1, or IIS 6.0 Web server. 

The limitation for this article

Warning This article is only valid for dedicated Web servers that use basic IIS functionality, such as serving HTML static content or simple Active Server Pages (ASP) content. The permission requirements that are described in this article are specific only to the basic permissions for a dedicated Web server that is running IIS 5.x or IIS 6.0. This article does not consider other Microsoft and third-party products that may require different permissions. You can review server and application documentation for specific security requirements. We recommend that you review the related articles that are specific for the roles of your Web server.

Testing steps before the permissions configurations in a production environment

Before you make permission changes on a production Web server, we recommend that you do the following steps:

  1. Run the most current version of the IIS Lockdown Tool. The following programs and services were installed as part of the test suite that was used to test server security after granting the permissions outlined in this article:

    • Index Services

    • Terminal Services

    • Script Debugger

    • IIS

      • Common Files

      • Documentation

      • FrontPage Server Extensions 2000

      • Internet Services Manager (HTML)

      • WWW

      • FTP

  2. Perform the following functional tests:

    • Hypertext documents (HTML)

    • Active Server Pages (ASP)

    • FrontPage Server Extensions, such as connecting, editing, and saving, if FPSE is enabled while you use the Lockdown Tool

    • Secure Socket Layers (SSL) Connections

Grant ownership and permission to the administrator and to the system

To do this, follow these steps:

  1. Open Windows Explorer. To do this, click Start, click Programs, and then clickWindows Explorer.

  2. Expand My Computer.

  3. Right-click the system drive (this is typically drive C), and then click Properties.

  4. Click the Security tab, and then click Advanced to open the Access Control Settings for Local Disk dialog box.

  5. Click the Owner tab, click to select the Replace Owner on Sub containers and Objects check box, and then click Apply. If you receive the following error message, click Continue:

    An error has occurred applying security information to %systemdrive%\Pagefile.sys

  6. If you receive the following error message, click Yes:

    You do not have permission to read the contents of directory %systemdrive%\System Volume Information - Do you want to replace the directory permission - All permission will be replaced granting you Full Control

  7. Click OK to close the dialog box.

  8. Click Add.

  9. Add the following users, and then grant them the Full Control NTFS permission:

    • Administrator

    • System

    • Creator Owner

  10. After you have added these NTFS permissions, click Advanced, click to select the Reset permission on all child objects and enable propagation of inheritable permissions check box, and then click Apply.

  11. If you receive the following error message, click Continue:

    An error has occurred applying security information to %systemdrive%\Pagefile.sys

  12. After you have reset NTFS permissions, click OK.

  13. Click the Everyone group, click Remove, and then click OK.

  14. Open the properties for the %systemdrive%\Program Files\Common Files folder, and then click the Security tab. Add the account that is used for anonymous access. By default, this is the IUSR_<MachineName> account. Then, add the Users group. Make sure that only the following are selected:

    • Read & Execute

    • List Folder Contents

    • Read

  15. Open the properties for the root directory that holds your Web content. By default, this is the %systemdrive%\Inetpub\Wwwroot folder. Click the Security tab, add the IUSR_<MachineName> account and the Users group, and then make sure that only the following are selected:

    • Read & Execute

    • List Folder Contents

    • Read

  16. If you want to grant Write NTFS permission for Inetpub\FTProot or the directory path for your FTP site or sites, repeat step 15. Note We do not recommend that you grant NTFS Write permissions to the anonymous account in any directories, including directories used by the FTP service uses. This can cause unnecessary data to be uploaded to your Web server.

Disable inheritance in system directories

To do this, follow these steps:

  1. In the %systemroot%\System32 folder, select all folders except the following:

    • Inetsrv

    • Certsrv (if present)

    • COM

  2. Right-click the remaining folders, click Properties, and then click the Security tab.

  3. Click to clear the Allow inheritable permissions check box, click Copy, and then click OK.

  4. In the %systemroot% folder, select all folders except the following:

    • Assembly (if present)

    • Downloaded Program Files

    • Help

    • Microsoft.NET (if present)

    • Offline Web Pages

    • System32

    • Tasks

    • Temp

    • Web

  5. Right-click the remaining folders, click Properties, and then click the Security tab.

  6. Click to clear the Allow inheritable permissions check box, click Copy, and then click OK.

  7. Apply permissions to the following:

    1. Open the properties for the %systemroot% folder, click the Security tab, add the IUSR_<MachineName> and IWAM_<MachineName> accounts and the Users group, and then make sure that only the following are selected:

      • Read & Execute

      • List Folder Contents

      • Read

    2. Open the properties for the %systemroot%\Temp folder, select the IUSR_<MachineName> account (this account is already present because it inherits from the Winnt folder), and then click to select the Modify check box. Repeat this step for the IWAM_<MachineName> account and theUsers group.

    3. If FrontPage Server Extension Clients such as FrontPage or Microsoft Visual InterDev are being used, open the properties for the %systemdrive%\Inetpub\Wwwroot folder, select the Authenticated Users group, select the following, and then click OK:

      • Modify

      • Read & Execute

      • List Folder Contents

      • Read

      • Write

NTFS permissions

The following table lists the permissions that will be applied when you follow the steps in the "Disable inheritance in system directories" section. This table is for reference only.  To apply the permissions in the following table, follow these steps:

  1. Open Windows Explorer. To do this, click Start, click Programs, click Accessories, and then click Windows Explorer.

  2. Expand My Computer.

  3. Right-click %systemroot%, and then click Properties.

  4. Click the Security tab, and then click Advanced.

  5. Double-click Permission, and then select the appropriate setting from the Apply Onto list.

Note In the "Apply To" column, the term Default refers to "This folder, subfolders, and files."

Directory

Users\Groups

Permissions

Apply To

%systemroot%\ (c:\winnt)

Administrator

Full Control

Default

System

Full Control

Default

Users

Read, execute

Default

%systemroot%\system32

Administrators

Full Control

Default

System

Full Control

Default

Users

Read, execute

Default

%systemroot%\system32\inetsrv

Administrators

Full Control

Default

System

Full Control

Default

Users

Read, execute

Default

Inetpub\adminscripts

Administrators

Full Control

Default

Inetpub\urlscan (if present)

Administrators

Full Control

Default

System

Full Control

Default

%systemroot%\system32\inetsrv\metaback

Administrators

Full Control

Default

System

Full Control

Default

%systemroot%\help\iishelp\common

Administrators

Full Control

This folder and files

System

Full Control

This folder and files

IWAM_<Machinename>

Read, execute

This folder and files

Network

Full Control

This folder and files

Service

This folder and files

Users

Read, execute

This folder and files

Inetpub\wwwroot (or content directories)

Administrators

Full Control

This folder and files

System

Full Control

This folder and files

IWAM_<MachineName>

Read, execute

This folder and files

Service

Read, execute

This folder and files

Network

Read, execute

This folder and files

Optional**:

Users

Read, execute

This folder and files

Note If you are using FrontPage Server Extensions, the Authenticated Users or the Users group must have the Change NTFS permission to create, to rename, to write, or to provide the functionality that a developer might have to have from a FrontPage-type of client, such as Visual InterDev 6.0 or FrontPage 2002.

Grant permissions in the registry

  1. Click Start, click Run, type regedt32, and then click OK. Do not use Registry Editor because it does not let you change permissions in Windows 2000.

  2. In Registry Editor, locate and select HKEY_LOCAL_MACHINE.

  3. Expand System, expand CurrentControlSet, and then expand Services.

  4. Select the IISADMIN key, click Security (or press ALT+S), and then selectPermissions (or press P).

  5. Click to clear the Allow inheritable permissions from parent to propagate to this object check box, click Copy, and then remove all users except:

    • Administrators (Allow Read and Full Control)

    • System (Allow Read and Full Control)

  6. Click OK.

  7. Repeat the steps for the MSFTPSVC key.

  8. Select the W3SVC key, click Security, and then click Permissions.

  9. Click to clear the Allow inheritable permissions from parent to propagate to this object check box, and then remove all entries except:

    • Administrators (Allow Read and Full Control)

    • System (Allow Read and Full Control)

    • Network (Read)

    • Service (Read)

    • IWAM_<MachineName> (Read)

  10. Click OK.

Registry

The following table lists the permissions that will be applied when you follow the steps in the "Grant permissions in the registry" section. This table is for reference only. Note The acronym HKLM stands for HKEY_LOCAL_MACHINE.

Location

Users\Groups

Permissions

HKLM\System\CurrentControlSet\Services\IISAdmin

Administrators

Full Control

System

Full Control

HKLM\System\CurrentControlSet\Services\MsFtpSvc

Administrators

Full Control

System

Full Control

HKLM\System\CurrentControlSet\Services\w3svc

Administrators

Full Control

System

Full Control

IWAM_<MachineName>

Read

Grant rights in the Local Security Policy

  1. Click Start, click Settings, and then click Control Panel.

  2. Double-click Administrative Tools, and then double-click Local Security Policy.

  3. In the Local Security Settings dialog box, expand Local Policies, and then click User Rights Assignment.

  4. Modify the appropriate policy:

    1. Double-click the policy.

    2. Select and then click Remove for any user who is not listed in the table.

    3. Add any user who is not listed. To do this, clickAdd, and then select the user in the Select Users or Groups dialog box.

Note that because a domain controller policy overrides the local policy, you must make sure that Effective Policy Setting matches Local Policy Setting.

Policies

The following table lists the permissions that will be applied when you follow the steps in the "Grant rights in the Local Security Policy" section.

Policy

Users

Log on Locally

Administrators

IUSR_<MachineName> (Anonymous)

Users (authentication required)

Access this computer from the Network

Administrators

ASPNet (.NET Framework)

IUSR_<MachineName> (Anonymous)

IWAM_<MachineName>

Users

Log on as a Batch Job

ASPNet

Network

IUSR_<MachineName>

IWAM_<MachineName>

Service

Logon as a Service

ASPNet

Network

Bypass Traverse Checking

Administrators

IUSR_<MachineName> (Anonymous)

Users (Basic, Integrated, Digest)

IWAM_<MachineName>

References

For more information about how to restore default NTFS permissions for Windows 2000, click the following article numbers to view the articles in the Microsoft Knowledge Base:

266118 How to restore the default NTFS permissions for Windows 2000

260985 Minimum NTFS permissions required to use CDONTS

324068 How to set IIS permissions for specific objects

815153 How to configure NTFS file permissions for security of ASP.NET applications For more information about the required permissions for IIS 6.0, click the following article number to view the article in the Microsoft Knowledge Base:

812614 Default permissions and user rights for IIS 6.0  

More Information

This article does not address any one of the specific security requirements of the following server roles or applications:

  • Windows 2000 Domain Controller

  • Microsoft Exchange 5.5 or Microsoft Exchange 2000 Outlook Web Access

  • Microsoft Small Business Server 2000

  • Microsoft SharePoint Portal or Team Services

  • Microsoft Commerce Server 2000 or Microsoft Commerce Server 2002

  • Microsoft BizTalk Server 2000 or Microsoft BizTalk Server 2002

  • Microsoft Content Management Server 2000 or Microsoft Content Management Server 2002

  • Microsoft Application Center 2000

  • The third-party applications that depend on additional permissions

Need more help?

Want more options?

Explore subscription benefits, browse training courses, learn how to secure your device, and more.

Communities help you ask and answer questions, give feedback, and hear from experts with rich knowledge.