This article describes how Access Control Lists (ACLs) work in the Microsoft Internet Information Server (IIS) 4.0 or Microsoft Internet Information Services (IIS) 5.0 metabase. The metabase is not only protected by the operating system ACLs on the particular file (Metabase.bin), but the file also has ACL protection in the directory itself.
Note The Metabase.bin file is a fully compliant X.500 Lightweight Directory Access Protocol (LDAP) directory and is governed by permissions in a Parent\Child relationship. Therefore, ACLs are applied recursively up the directory until the root is reached.
This article also describes the role of ACLs in the IIS metabase, how to edit ACLs, and the default ACLs for IIS 4.0 and IIS 5.0.
Access Control Lists
Introduction
In the metabase, ACLs limit the access of certain user accounts to certain keys in the Metabase.bin directory. Two types of permissions are granted with ACLs:
- ACCESS_ALLOWED_ACE
- ACCESS_DENIED_ACE
Microsoft recommends that you only use
ACCESS_ALLOWED_ACE because Microsoft does not extensively test
ACCESS_DENIED_ACE.
Because all ACL information is stored in the metabase itself in the
MD_ADMIN_ACL property, you can view the information with typical metabase viewing tools such as Adsutil and Mdutil.
Available rights
When you modify metabase ACLs, the following rights are available:
- MD_ACR_UNSECURE_PROPS_READ: Gives a user read-only access to any nonsecure property.
- MD_ACR_READ: Gives a user read rights to any secure or nonsecure property.
- MD_ACR_ENUM_KEYS: Gives a user the right to enumerate all names of any child nodes.
- MD_ACR_WRITE_DAC: Gives a user the right to write or create an AdminACL property at the corresponding node.
- MD_ACR_WRITE: Gives a user the right to modify (including add or set) properties except restricted properties. For more information, see the section about restricted properties by platform.
- MD_ACR_RESTRICTED_WRITE: Gives a user the right to modify any property that is currently set to Administrator only. This permission gives full control to that key to a user.
Editing ACLs
Warning If you edit the metabase incorrectly, you can cause serious problems that may require you to reinstall any product that uses the metabase. Microsoft cannot guarantee that problems that result if you incorrectly edit the metabase can be solved. Edit the metabase at your own risk.
Note Always back up the metabase before you edit it.
To edit the ACLs, you use a utility that is named Metaacl.vbs.
For more information, click the following article number to view the article in the Microsoft Knowledge Base:
267904
(http://support.microsoft.com/kb/267904/
)
Metaacl.exe modifying metabase permissions for the IIS Admin Objects
This example modifies the
w3svc key to deny access for the administrators.
Warning Doing this on a production system can be extremely dangerous and cause IIS to fail to function as designed. This example only steps through the editing process for demonstration purposes.
- Copy the Metaacl.vbs file to the %systemdrive%\Inetpub\Adminscripts directory.
- Click Start, click Run, type CMD, and then click Run to open a command prompt.
- At the prompt, run the following command to change to the Adminscripts directory:
c:\cd Inetpub\Adminscripts
- To modify the parameters located at IIS://LOCALHOST/W3SVC, run the following command:
c:\Inetpub\Adminscripts>cscript metaacl.vbs IIS://LOCALHOST/W3SVC mydomain\mydomainaccount RW
ACE for mydomain\mydomainaccount added.
You can use Metaacl.vbs to add the following rights for any user:
- R - Read
- W - Write
- S - Restricted Write
- U - Unsecure Properties Read
- E - Enumerate Keys
- D - Write DACL (permissions)
ACLs by server platform
IIS 4.0
- Default ACLs
The following list describes the default ACLs that are put in the Metabase.bin directory when IIS 4.0 is installed:
LM -
W3SVC
BUILTIN\Administrators
Access: RWSUED
Everyone
Access: E
MSFTPSVC
BUILTIN\Administrators
Access: RWSUED
Everyone
Access: E
SMTPSVC
BUILTIN\Administrators
Access: RWSUED
Everyone
Access: E
NNTPSVC
BUILTIN\Administrators
Access: RWSUED
Everyone
Access: E
- Restricted ACLs
The following list describes the metabase key properties that are marked as restricted on default installations of IIS 4.0:
MD_ADMIN_ACL
MD_APP_ISOLATED
MD_VR_PATH
MD_ACCESS_PERM
MD_ANONYMOUS_USER_NAME
MD_ANONYMOUS_PWD
MD_MAX_BANDWIDTH
MD_MAX_BANDWIDTH_BLOCKED
MD_ISM_ACCESS_CHECK
MD_FILTER_LOAD_ORDER
MD_FILTER_STATE
MD_FILTER_ENABLED
MD_FILTER_DESCRIPTION
MD_FILTER_FLAGS
MD_FILTER_IMAGE_PATH
MD_SECURE_BINDINGS
MD_SERVER_BINDINGS
IIS 5.0
- Default ACLs
The following list describes the default ACLs that are put in the Metabase.bin directory when IIS 5.0 is installed:
LM -
W3SVC
BUILTIN\Administrators
Access: RWSUED
Everyone
Access: E
{IISMachineName}\VS Developers
Access: RWSUE
MSFTPSVC
BUILTIN\Administrators
Access: RWSUED
Everyone
Access: E
SMTPSVC
BUILTIN\Administrators
Access: RWSUED
Everyone
Access: E
NNTPSVC
BUILTIN\Administrators
Access: RWSUED
Everyone
Access: E
- Restricted ACLs
The following list describes the metabase key properties that are marked as restricted on default installations of IIS 5.0:
MD_ADMIN_ACL
MD_APP_ISOLATED
MD_VR_PATH
MD_ACCESS_PERM
MD_ANONYMOUS_USER_NAME
MD_ANONYMOUS_PWD
MD_MAX_BANDWIDTH
MD_MAX_BANDWIDTH_BLOCKED
MD_ISM_ACCESS_CHECK
MD_FILTER_LOAD_ORDER
MD_FILTER_STATE
MD_FILTER_ENABLED
MD_FILTER_DESCRIPTION
MD_FILTER_FLAGS
MD_FILTER_IMAGE_PATH
MD_SECURE_BINDINGS
MD_SERVER_BINDINGS
IIS 6.0
- Default ACLs
The following list describes the default ACLs that are put in the Metabase.xml directory when IIS 6.0 is installed:
LM –
W3SVC
NT AUTHORITY\LOCAL SERVICE
Access: R UE
NT AUTHORITY\NETWORK SERVICE
Access: R UE
{computername}\IIS_WPG
Access: R UE
BUILTIN\Administrators
Access: RWSUED
{computername}\ASPNET
Access: R E
W3SVC/Filters
NT AUTHORITY\LOCAL SERVICE
Access: RW UE
NT AUTHORITY\NETWORK SERVIC
Access: RW UE
{computername}\IIS_WPG
Access: RW UE
BUILTIN\Administrators
Access: RWSUED
W3SVC/1/Filters
NT AUTHORITY\LOCAL SERVICE
Access: RW UE
NT AUTHORITY\NETWORK SERVIC
Access: RW UE
{computername}\IIS_WPG
Access: RW UE
BUILTIN\Administrators
Access: RWSUED
W3SVC/AppPools
NT AUTHORITY\LOCAL SERVICE
Access: U
NT AUTHORITY\NETWORK SERVICE
Access: U
{computername}\IIS_WPG
Access: U
BUILTIN\Administrators
Access: RWSUED
W3SVC/INFO
BUILTIN\Administrators
Access: RWSUED
MSFTPSVC
BUILTIN\Administrators
Access: RWSUED
SMTPSVC
BUILTIN\Administrators
Access: RWSUED
NT AUTHORITY\LOCAL SERVICE
Access: UE
NT AUTHORITY\NETWORK SERVICE
Access: UE
NNTPSVC
BUILTIN\Administrators
Access: RWSUED
NT AUTHORITY\LOCAL SERVICE
Access: UE
NT AUTHORITY\NETWORK SERVICE
Access: UE
Logging
BUILTIN\Administrators
Access: RWSUED
- Restricted ACLs
The following list describes the metabase key properties that are marked as restricted on default installations of IIS 6.0:
MD_ADMIN_ACL
MD_VPROP_ADMIN_ACL_RAW_BINARY
MD_APPPOOL_ORPHAN_ACTION_EXE
MD_APPPOOL_ORPHAN_ACTION_PARAMS
MD_APPPOOL_AUTO_SHUTDOWN_EXE
MD_APPPOOL_AUTO_SHUTDOWN_PARAMS
MD_APPPOOL_IDENTITY_TYPE
MD_APP_APPPOOL_ID
MD_APP_ISOLATED
MD_VR_PATH
MD_ACCESS_PERM
MD_VR_USERNAME
MD_VR_PASSWORD
MD_ANONYMOUS_USER_NAME
MD_ANONYMOUS_PWD
MD_LOGSQL_USER_NAME
MD_LOGSQL_PASSWORD
MD_WAM_USER_NAME
MD_WAM_PWD
MD_AD_CONNECTIONS_USERNAME
MD_AD_CONNECTIONS_PASSWORD
MD_MAX_BANDWIDTH
MD_MAX_BANDWIDTH_BLOCKED
MD_ISM_ACCESS_CHECK
MD_FILTER_LOAD_ORDER
MD_FILTER_ENABLED
MD_FILTER_IMAGE_PATH
MD_SECURE_BINDINGS
MD_SERVER_BINDINGS
MD_ASP_ENABLECLIENTDEBUG
MD_ASP_ENABLESERVERDEBUG
MD_ASP_ENABLEPARENTPATHS
MD_ASP_ERRORSTONTLOG
MD_ASP_KEEPSESSIONIDSECURE
MD_ASP_LOGERRORREQUESTS
MD_ASP_DISKTEMPLATECACHEDIRECTORY
36948 RouteUserName
36949 RoutePassword
36958 SmtpDsPassword
41191 Pop3DsPassword
45461 FeedAccountName
45462 FeedPassword
49384 ImapDsPassword
For more information about ACLs and the IIS metabase, visit the following Microsoft Web sites:
Help and Support
Back to the top
