How to set required NTFS permissions and user rights for an IIS 5.0 Web server
This article was written about products for which Microsoft no longer offers support. Therefore, this article is offered "as is" and will no longer be updated.
This article was previously published under Q271071
On This Page
SUMMARY
This step-by-step article describes the minimum
permissions that are required for a dedicated Internet Information Services (IIS) 5.0 Web server.
Warning This article is only valid for dedicated Web servers that use basic IIS functionality, such as serving HTML static content or simple Active Server Pages (ASP) content. The permission requirements that are described in this article are specific ONLY to the basic permissions for a dedicated Web server that is running Microsoft Windows 2000 and IIS 5.0. This article does not consider other Microsoft and third-party products that may require different permissions. We recommend that you review articles that are specific for the roles of your Web server and perform tests before you make permission changes on a production Web server. For links to related articles for other Microsoft products, see the "References" section.
If you apply these permissions to an IIS server that serves other roles, such as Microsoft Exchange Server 5.5, Microsoft Exchange Server 2000, or third-party applications that depend on additional permissions, these products may not operate as expected.
Note This article only applies to IIS 5.0. It does not apply to any
other versions of IIS.
For more information about the required permissions for IIS 4.0, click the following article number to view the article in the Microsoft Knowledge Base:
187506 (http://support.microsoft.com/kb/187506/)
Required NTFS permissions and user rights for IIS 4.0
For more information about the required permissions for IIS 6.0, click the following article number to view the article in the Microsoft Knowledge Base:
812614 (http://support.microsoft.com/kb/812614/)
Default permissions and user rights for IIS 6.0
Testing for this document included the following functional
tests:
•
Hypertext documents (HTML)
•
Active Server Pages (ASP)
•
FrontPage Server Extensions, such as connecting, editing, and
saving, if FPSE is enabled while you use the Lockdown Tool
•
Secure Socket Layers (SSL) Connections
This document does not address any one of the specific security requirements of the following server roles or applications:
•
Windows 2000 Domain Controller
•
Microsoft Exchange 5.5 or Microsoft Exchange 2000 Outlook
Web Access
•
Microsoft Small Business Server 2000
•
Microsoft SharePoint Portal or Team Services
•
Microsoft Commerce Server 2000 or Microsoft Commerce Server
2002
•
Microsoft BizTalk Server 2000 or Microsoft BizTalk Server
2002
•
Microsoft Content Management Server 2000 or Microsoft
Content Management Server 2002
•
Microsoft Application Center 2000
Review server and application documentation for specific security requirements. Links to related Knowledge Base articles are provided in the "References" section.
Before you apply the permissions in this article, we
recommend that you run the most current version of the IIS Lockdown Tool. For
additional information about this tool, visit the following Microsoft Web site:
The following programs and services were installed as part of the test suite that was used to test server security after granting the permissions outlined in this article:
Grant ownership and permission to the administrator and to the system
To assign permissions to the system:
1.
Open Windows Explorer. To do this, click
Start, click Programs, and then click
Windows Explorer.
2.
Expand My Computer.
3.
Right-click the system drive (this is typically drive C),
and then click Properties.
4.
Click the Security tab, and then click
Advanced to open the Access Control Settings for Local
Disk dialog box.
5.
Click the Owner tab, click to select the
Replace Owner on Sub containers and Objects check box, and
then click Apply.
If you receive the following error
message, click Continue:
An error has
occurred applying security information to
%systemdrive%\Pagefile.sys
6.
If you receive the following error message, click
Yes:
You do not have permission to read
the contents of directory %systemdrive%\System Volume Information - Do you want
to replace the directory permission - All permission will be replaced granting
you Full Control
7.
Click OK to close the dialog box.
8.
Click Add.
9.
Add the following users, and then grant them the Full
Control NTFS permission:
•
Administrator
•
System
•
Creator Owner
10.
After you have added these NTFS permissions, click
Advanced, click to select the Reset permission on all
child objects and enable propagation of inheritable permissions check
box, and then click Apply.
11.
If you receive the following error message, click
Continue:
An error has occurred applying
security information to %systemdrive%\Pagefile.sys
12.
After you have reset NTFS permissions, click
OK.
13.
Click the Everyone group, click
Remove, and then click OK.
14.
Open the properties for the %systemdrive%\Program
Files\Common Files folder, and then click the Security tab.
Add the account that is used for anonymous access. By default, this is the
IUSR_<MachineName> account. Then, add the Users group. Make sure that
only the following are selected:
•
Read & Execute
•
List Folder Contents
•
Read
15.
Open the properties for the root directory that holds your
Web content. By default, this is the %systemdrive%\Inetpub\Wwwroot folder.
Click the Security tab, add the IUSR_<MachineName>
account and the Users group, and then make sure that only the following are
selected:
•
Read & Execute
•
List Folder Contents
•
Read
16.
If you want to grant Write NTFS permission for
Inetpub\FTProot or the directory path for your FTP site or sites, repeat step
15.
Note We do not recommend that you grant NTFS Write permissions
to the anonymous account in any directories, including directories used by the FTP service uses. This can
cause unnecessary data to be uploaded to your Web server.
In the %systemroot%\System32 folder, select all
folders except the following:
•
Inetsrv
•
Certsrv (if present)
•
COM
2.
Right-click the remaining folders, click
Properties, and then click the Security
tab.
3.
Click to clear the Allow inheritable
permissions check box, click Copy, and then click
OK.
4.
In the %systemroot% folder, select all folders except
the following:
•
Assembly (if present)
•
Downloaded Program Files
•
Help
•
Microsoft.NET (if present)
•
Offline Web Pages
•
System32
•
Tasks
•
Temp
•
Web
5.
Right-click the remaining folders, click
Properties, and then click the Security
tab.
6.
Click to clear the Allow inheritable
permissions check box, click Copy, and then click
OK.
7.
Apply permissions to the following:
a.
Open the properties for the %systemroot% folder,
click the Security tab, add the
IUSR_<MachineName> and
IWAM_<MachineName> accounts and the
Users group, and then make sure that only the following are
selected:
•
Read & Execute
•
List Folder Contents
•
Read
b.
Open the properties for the %systemroot%\Temp
folder, select the IUSR_<MachineName> account (this
account is already present because it inherits from the Winnt folder), and then
click to select the Modify check box. Repeat this step for the
IWAM_<MachineName> account and the
Users group.
c.
If FrontPage Server Extension Clients such as
FrontPage or Microsoft Visual InterDev are being used, open the properties for
the %systemdrive%\Inetpub\Wwwroot folder, select the Authenticated
Users group, select the following, and then click OK:
The following table lists the permissions that will be applied
when you follow the steps in the "Disable
inheritance in system directories" section. This table is for
reference only.
To apply the permissions in the following table:
1.
Open Windows Explorer. To do this, click
Start, click Programs, click
Accessories, and then click Windows
Explorer.
2.
Expand My Computer.
3.
Right-click %systemroot%, and then click
Properties.
4.
Click the Security tab, and then click
Advanced.
5.
Double-click Permission, and then select
the appropriate setting from the Apply Onto list.
Note In the “Apply To” column, the term Default refers to “This
folder, subfolders, and files.”
Directory
Users\Groups
Permissions
Apply To
%systemroot%\ (c:\winnt)
Administrator
Full
Control
Default
System
Full Control
Default
Users
Read, execute
Default
%systemroot%\system32
Administrators
Full
Control
Default
System
Full Control
Default
Users
Read, execute
Default
%systemroot%\system32\inetsrv
Administrators
Full
Control
Default
System
Full Control
Default
Users
Read, execute
Default
Inetpub\adminscripts
Administrators
Full
Control
Default
Inetpub\urlscan (if present)
Administrators
Full Control
Default
System
Full Control
Default
%systemroot%\system32\inetsrv\metaback
Administrators
Full
Control
Default
System
Full Control
Default
%systemroot%\help\iishelp\common
Administrators
Full
Control
This folder and files
System
Full Control
This folder and
files
IWAM_<Machinename>
Read,
execute
This folder and files
Network
Full Control
This folder and
files
Service
This folder and files
Users
Read, execute
This folder and
files
Inetpub\wwwroot (or content
directories)
Administrators
Full Control
This folder
and files
System
Full Control
This folder and
files
IWAM_<MachineName>
Read,
execute
This folder and files
Service
Read, execute
This folder
and files
Network
Read, execute
This folder
and files
Optional**:
Users
Read, execute
This
folder and files
** If you are using FrontPage Server Extensions, the
Authenticated Users or the Users group must have the Change NTFS permission to
create, to rename, to write, or to provide the functionality that a developer might have to have
from a FrontPage-type of client, such as Visual InterDev 6.0 or FrontPage 2002.
The following table lists the permissions that will be applied
when you follow the steps in the "Grant
permissions in the registry" section. This table is for reference
only.
Note The acronym HKLM stands for HKEY_LOCAL_MACHINE.
Click Start, click
Settings, and then click Control
Panel.
2.
Double-click Administrative Tools, and
then double-click Local Security Policy.
3.
In the Local Security Settings dialog box,
expand Local Policies, and then click User Rights
Assignment.
4.
Modify the appropriate policy:
a.
Double-click the policy.
b.
Select and then click Remove for any
user who is not listed in the table.
c.
Add any user who is not listed. To do this, click
Add, and then select the user in the Select Users or
Groups dialog box.
Note that because a domain controller policy overrides the local
policy, you must make sure that Effective Policy Setting matches Local Policy Setting.
For more information about the services that you must have for IIS 4.0, click the following article number to view the article in the Microsoft Knowledge Base:
189271 (http://support.microsoft.com/kb/189271/)
List of services that are needed to run a security-enhanced IIS computer
For more information about how to restore
default NTFS permissions for Windows 2000, click the following article numbers to view the articles in the Microsoft Knowledge Base:
266118 (http://support.microsoft.com/kb/266118/)
How to restore the default NTFS permissions for Windows 2000
260985 (http://support.microsoft.com/kb/260985/) Minimum NTFS permissions required to use CDONTS
324068 (http://support.microsoft.com/kb/324068/) How to set IIS permissions for specific objects
815153 (http://support.microsoft.com/kb/815153/) How to configure NTFS file permissions for security of ASP.NET applications
Need More Help? Contact a Support professional by Email, Online or Phone.
Customer Service For non-technical assistance with product purchases, subscriptions, online services, events, training courses, corporate sales, piracy issues, and more.
Newsgroups Pose a question to other users. Discussion groups and Forums about specific Microsoft products, technologies, and services.
This article was written about products for which Microsoft no longer offers support. Therefore, this article is offered "as is" and will no longer be updated.
Help and Support
Back to the top
