This article describes how to set the minimum permissions that are required for a dedicated Internet Information Services (IIS) 5.0, IIS 5.1, or IIS 6.0 Web server.
The limitation for this article
Warning This article is only valid for dedicated Web servers that use basic IIS functionality, such as serving HTML static content or simple Active Server Pages (ASP) content. The permission requirements that are described in this article are specific only to the basic permissions for a dedicated Web server that is running IIS 5.x or IIS 6.0. This article does not consider other Microsoft and third-party products that may require different permissions. You can review server and application documentation for specific security requirements. We recommend that you review the related articles that are specific for the roles of your Web server.
Testing steps before the permissions configurations in a production environment
Before you make permission changes on a production Web server, we recommend that you do the following steps:
-
Run the most current version of the IIS Lockdown Tool. The following programs and services were installed as part of the test suite that was used to test server security after granting the permissions outlined in this article:
-
Index Services
-
Terminal Services
-
Script Debugger
-
IIS
-
Common Files
-
Documentation
-
FrontPage Server Extensions 2000
-
Internet Services Manager (HTML)
-
WWW
-
FTP
-
-
-
Perform the following functional tests:
-
Hypertext documents (HTML)
-
Active Server Pages (ASP)
-
FrontPage Server Extensions, such as connecting, editing, and saving, if FPSE is enabled while you use the Lockdown Tool
-
Secure Socket Layers (SSL) Connections
-
Grant ownership and permission to the administrator and to the system
To do this, follow these steps:
-
Open Windows Explorer. To do this, click Start, click Programs, and then click
Windows Explorer. -
Expand My Computer.
-
Right-click the system drive (this is typically drive C), and then click Properties.
-
Click the Security tab, and then click Advanced to open the Access Control Settings for Local Disk dialog box.
-
Click the Owner tab, click to select the Replace Owner on Sub containers and Objects check box, and then click Apply.
If you receive the following error message, click Continue:An error has occurred applying security information to %systemdrive%\Pagefile.sys
-
If you receive the following error message, click Yes:
You do not have permission to read the contents of directory %systemdrive%\System Volume Information - Do you want to replace the directory permission - All permission will be replaced granting you Full Control
-
Click OK to close the dialog box.
-
Click Add.
-
Add the following users, and then grant them the Full Control NTFS permission:
-
Administrator
-
System
-
Creator Owner
-
-
After you have added these NTFS permissions, click Advanced, click to select the Reset permission on all child objects and enable propagation of inheritable permissions check box, and then click Apply.
-
If you receive the following error message, click Continue:
An error has occurred applying security information to %systemdrive%\Pagefile.sys
-
After you have reset NTFS permissions, click OK.
-
Click the Everyone group, click Remove, and then click OK.
-
Open the properties for the %systemdrive%\Program Files\Common Files folder, and then click the Security tab. Add the account that is used for anonymous access. By default, this is the IUSR_<MachineName> account. Then, add the Users group. Make sure that only the following are selected:
-
Read & Execute
-
List Folder Contents
-
Read
-
-
Open the properties for the root directory that holds your Web content. By default, this is the %systemdrive%\Inetpub\Wwwroot folder. Click the Security tab, add the IUSR_<MachineName> account and the Users group, and then make sure that only the following are selected:
-
Read & Execute
-
List Folder Contents
-
Read
-
-
If you want to grant Write NTFS permission for Inetpub\FTProot or the directory path for your FTP site or sites, repeat step 15.
Note We do not recommend that you grant NTFS Write permissions to the anonymous account in any directories, including directories used by the FTP service uses. This can cause unnecessary data to be uploaded to your Web server.
Disable inheritance in system directories
To do this, follow these steps:
-
In the %systemroot%\System32 folder, select all folders except the following:
-
Inetsrv
-
Certsrv (if present)
-
COM
-
-
Right-click the remaining folders, click Properties, and then click the Security tab.
-
Click to clear the Allow inheritable permissions check box, click Copy, and then click OK.
-
In the %systemroot% folder, select all folders except the following:
-
Assembly (if present)
-
Downloaded Program Files
-
Help
-
Microsoft.NET (if present)
-
Offline Web Pages
-
System32
-
Tasks
-
Temp
-
Web
-
-
Right-click the remaining folders, click Properties, and then click the Security tab.
-
Click to clear the Allow inheritable permissions check box, click Copy, and then click OK.
-
Apply permissions to the following:
-
Open the properties for the %systemroot% folder, click the Security tab, add the IUSR_<MachineName> and IWAM_<MachineName> accounts and the Users group, and then make sure that only the following are selected:
-
Read & Execute
-
List Folder Contents
-
Read
-
-
Open the properties for the %systemroot%\Temp folder, select the IUSR_<MachineName> account (this account is already present because it inherits from the Winnt folder), and then click to select the Modify check box. Repeat this step for the IWAM_<MachineName> account and the
Users group. -
If FrontPage Server Extension Clients such as FrontPage or Microsoft Visual InterDev are being used, open the properties for the %systemdrive%\Inetpub\Wwwroot folder, select the Authenticated Users group, select the following, and then click OK:
-
Modify
-
Read & Execute
-
List Folder Contents
-
Read
-
Write
-
-
NTFS permissions
The following table lists the permissions that will be applied when you follow the steps in the "Disable inheritance in system directories" section. This table is for reference only.
To apply the permissions in the following table, follow these steps:-
Open Windows Explorer. To do this, click Start, click Programs, click Accessories, and then click Windows Explorer.
-
Expand My Computer.
-
Right-click %systemroot%, and then click Properties.
-
Click the Security tab, and then click Advanced.
-
Double-click Permission, and then select the appropriate setting from the Apply Onto list.
Note In the "Apply To" column, the term Default refers to "This folder, subfolders, and files."
Directory |
Users\Groups |
Permissions |
Apply To |
---|---|---|---|
%systemroot%\ (c:\winnt) |
Administrator |
Full Control |
Default |
System |
Full Control |
Default |
|
Users |
Read, execute |
Default |
|
%systemroot%\system32 |
Administrators |
Full Control |
Default |
System |
Full Control |
Default |
|
Users |
Read, execute |
Default |
|
%systemroot%\system32\inetsrv |
Administrators |
Full Control |
Default |
System |
Full Control |
Default |
|
Users |
Read, execute |
Default |
|
Inetpub\adminscripts |
Administrators |
Full Control |
Default |
Inetpub\urlscan (if present) |
Administrators |
Full Control |
Default |
System |
Full Control |
Default |
|
%systemroot%\system32\inetsrv\metaback |
Administrators |
Full Control |
Default |
System |
Full Control |
Default |
|
%systemroot%\help\iishelp\common |
Administrators |
Full Control |
This folder and files |
System |
Full Control |
This folder and files |
|
IWAM_<Machinename> |
Read, execute |
This folder and files |
|
Network |
Full Control |
This folder and files |
|
Service |
This folder and files |
||
Users |
Read, execute |
This folder and files |
|
Inetpub\wwwroot (or content directories) |
Administrators |
Full Control |
This folder and files |
System |
Full Control |
This folder and files |
|
IWAM_<MachineName> |
Read, execute |
This folder and files |
|
Service |
Read, execute |
This folder and files |
|
Network |
Read, execute |
This folder and files |
|
Optional**: |
Users |
Read, execute |
This folder and files |
Note If you are using FrontPage Server Extensions, the Authenticated Users or the Users group must have the Change NTFS permission to create, to rename, to write, or to provide the functionality that a developer might have to have from a FrontPage-type of client, such as Visual InterDev 6.0 or FrontPage 2002.
Grant permissions in the registry
-
Click Start, click Run, type regedt32, and then click OK. Do not use Registry Editor because it does not let you change permissions in Windows 2000.
-
In Registry Editor, locate and select HKEY_LOCAL_MACHINE.
-
Expand System, expand CurrentControlSet, and then expand Services.
-
Select the IISADMIN key, click Security (or press ALT+S), and then select
Permissions (or press P). -
Click to clear the Allow inheritable permissions from parent to propagate to this object check box, click Copy, and then remove all users except:
-
Administrators (Allow Read and Full Control)
-
System (Allow Read and Full Control)
-
-
Click OK.
-
Repeat the steps for the MSFTPSVC key.
-
Select the W3SVC key, click Security, and then click Permissions.
-
Click to clear the Allow inheritable permissions from parent to propagate to this object check box, and then remove all entries except:
-
Administrators (Allow Read and Full Control)
-
System (Allow Read and Full Control)
-
Network (Read)
-
Service (Read)
-
IWAM_<MachineName> (Read)
-
-
Click OK.
Registry
The following table lists the permissions that will be applied when you follow the steps in the "Grant permissions in the registry" section. This table is for reference only.
Note The acronym HKLM stands for HKEY_LOCAL_MACHINE.
Location |
Users\Groups |
Permissions |
---|---|---|
HKLM\System\CurrentControlSet\Services\IISAdmin |
Administrators |
Full Control |
System |
Full Control |
|
HKLM\System\CurrentControlSet\Services\MsFtpSvc |
Administrators |
Full Control |
System |
Full Control |
|
HKLM\System\CurrentControlSet\Services\w3svc |
Administrators |
Full Control |
System |
Full Control |
|
IWAM_<MachineName> |
Read |
Grant rights in the Local Security Policy
-
Click Start, click Settings, and then click Control Panel.
-
Double-click Administrative Tools, and then double-click Local Security Policy.
-
In the Local Security Settings dialog box, expand Local Policies, and then click User Rights Assignment.
-
Modify the appropriate policy:
-
Double-click the policy.
-
Select and then click Remove for any user who is not listed in the table.
-
Add any user who is not listed. To do this, click
Add, and then select the user in the Select Users or Groups dialog box.
-
Note that because a domain controller policy overrides the local policy, you must make sure that Effective Policy Setting matches Local Policy Setting.
Policies
The following table lists the permissions that will be applied when you follow the steps in the "Grant rights in the Local Security Policy" section.
Policy |
Users |
---|---|
Log on Locally |
Administrators |
IUSR_<MachineName> (Anonymous) |
|
Users (authentication required) |
|
Access this computer from the Network |
Administrators |
ASPNet (.NET Framework) |
|
IUSR_<MachineName> (Anonymous) |
|
IWAM_<MachineName> |
|
Users |
|
Log on as a Batch Job |
ASPNet |
Network |
|
IUSR_<MachineName> |
|
IWAM_<MachineName> |
|
Service |
|
Logon as a Service |
ASPNet |
Network |
|
Bypass Traverse Checking |
Administrators |
IUSR_<MachineName> (Anonymous) |
|
Users (Basic, Integrated, Digest) |
|
IWAM_<MachineName> |
References
For more information about how to restore default NTFS permissions for Windows 2000, click the following article numbers to view the articles in the Microsoft Knowledge Base:
266118 How to restore the default NTFS permissions for Windows 2000
260985 Minimum NTFS permissions required to use CDONTS
324068 How to set IIS permissions for specific objects
815153 How to configure NTFS file permissions for security of ASP.NET applications For more information about the required permissions for IIS 6.0, click the following article number to view the article in the Microsoft Knowledge Base:
812614 Default permissions and user rights for IIS 6.0
More Information
This article does not address any one of the specific security requirements of the following server roles or applications:
-
Windows 2000 Domain Controller
-
Microsoft Exchange 5.5 or Microsoft Exchange 2000 Outlook Web Access
-
Microsoft Small Business Server 2000
-
Microsoft SharePoint Portal or Team Services
-
Microsoft Commerce Server 2000 or Microsoft Commerce Server 2002
-
Microsoft BizTalk Server 2000 or Microsoft BizTalk Server 2002
-
Microsoft Content Management Server 2000 or Microsoft Content Management Server 2002
-
Microsoft Application Center 2000
-
The third-party applications that depend on additional permissions