How to configure Web server permissions for Web content in IIS

This step-by-step article describes how to grant Web server permissions for Web content using Internet Information Services (IIS) 5.0.

You can grant Web server permissions for specific Web sites, folders, and files on your server. Unlike the NTFS file system permissions that apply only to either a specific user or a group of users that have a valid Windows account, Web server permissions apply to all users that access your Web site regardless of their specific access rights.

Web access permissions use the IUSR_computername account by default. When you install IIS, the IUSER_computername account is created and used as the default anonymous user account. When you enable anonymous access, IIS uses the IUSER_computername account to log on all users who access your site.

The IUSR_computername account is granted NTFS permissions for the folders that make up the Web sites on your server. However, you can change the permissions for any folder or file in your site. For example, you can use Web server permissions to control whether visitors to your Web site are allowed to view a particular Web page, upload information, or run scripts.

When you configure both Web server permissions and Windows NTFS permissions, you can control how users access your Web content on multiple levels, from the entire Web site to individual files.

You can assign strong NTFS permissions for your resources. The NTFS file system is more secure than the FAT or FAT32 file system. You can also assign the most restrictive Web permissions possible. For example, if the Web site is used only for viewing information, assign only Read permissions. If a directory or site contains applications, assign Scripts only permissions instead of Scripts and Executables permissions. Do not assign Write and Script source access permissions or Scripts and Executables permissions. Use this combination with extreme caution. It could allow a user to upload potentially harmful executable files to the server and run them.

How to grant Web server permissions for Web content

1. Start Internet Services Manager. Alternatively, start the IIS snap-in.
2. Click to expand * server name, where server name is the name of the server.
3. Right-click either the Web site, the virtual directory, the folder, or the file for which you want to grant permissions, and then click Properties.
4. Click one of the following tabs that is appropriate to your situation:
   • Home Directory
   • Virtual Directory
   • Directory
   • File
   
   
5. Either click to select or click to clear any of the following check boxes (if present) that are appropriate for the level of Web permissions that you want to grant:
   • Script Source Access: Grant this permission to allow users to access source code. Script Source Access includes source code for scripts, such as scripts in Active Sever Pages (ASP) programs. Note that this permission is only available if you grant either the Read or the Write permissions.
     
     NOTE: When you click Script Source Access, users may be able to view sensitive information, such as a user name and a password, from scripts in an ASP program. They are also able to change source code that runs on your server, which can seriously affect the security and the performance of your server. It is recommended that you handle access to this type of information and to these functions using individual Windows accounts and higher-level authentication, such as integrated Windows authentication.
   • Read: Grant this permission to allow users to either view or download files or folders and their associated properties. Read permissions are selected by default.
   • Write: Grant this permission to allow users either to upload files and their associated properties to the enabled folder on your server or to change the content or properties of a write-enabled file.
   • Directory browsing: Grant this permission to allow users to view a hypertext listing of the files and the subfolders in the virtual directory. Note that virtual directories are not displayed in folder listings; users must know a virtual directory's alias.
     
     NOTE: An "Access Forbidden" error message is displayed by your Web server in a user's Web browser if the user attempts to access either a file or folder on your server and both of the following conditions are true:
     • Directory browsing is disabled.
       
       -and-
     • The user does not specify a file name such as Filename.htm in the Address box.
   • Log visits: Grant this permission to log visits to this folder in a log file. A log entry is recorded only if logging is enabled for the Web site.
   • Index this resource: Grant this permission to allow Microsoft Indexing Service to include this folder in a full-text index of the Web site. When you grant this permission, users can perform queries on this resource.
6. In the Execute Permissions box, chose a setting to determine how you want scripts to be run on the site. The following settings are available:
   • None: Click this setting if you do not want users to run scripts or executable programs on the server. When you use this setting, users can gain access only to static files such as Hypertext Markup Language (HTML) and image files.
   • Scripts only: Click this setting to run scripts such as ASP programs on the server.
   • Scripts and Executables: Click this setting to run both scripts such as ASP programs and executable programs on the server.
7. Click OK, and then quit Internet Services Manager or quit the IIS snap-in.

NOTES:

• When you try to change security properties for a Web site or virtual directory, IIS checks the existing settings on the child nodes (virtual directories and files) that are contained within that Web site or virtual directory. If the permissions that are set at the lower levels are different, IIS displays an Inheritance Overrides dialog box. To specify which child nodes should inherit the permissions that you set at the higher level, click the node or nodes in the Child Nodes list, and then click OK. The child node inherits the new permissions settings.
• If Web permissions and NTFS permissions differ for either a folder or a file, the more restrictive of the two settings is used. For example, if you grant Write permissions to a folder in IIS, and grant Read permissions to a particular user group in NTFS, those users cannot write files to the folder because Read permissions are more restrictive.
• If you disable Web server permissions (for example, Read permissions) on a resource, all users are restricted from viewing that resource, regardless of the NTFS permissions that are applied to those users' accounts. If you enable Web server permissions (for example, Read permissions) on a resource, all users can view that resource unless NTFS permissions that restrict access to it are also applied.

For more information about how to grant Web server and NTFS permissions for Web content, refer to the "Access Control" topic in the "Security" section of the IIS 5.0 Online Documentation. To view the documentation, start Microsoft Internet Explorer, and then type the following address in the Address bar: For more information about how to control access to Web content, click the following article numbers to view the articles in the Microsoft Knowledge Base: For more information about IIS security, click the following article numbers to view the articles in the Microsoft Knowledge Base: