Description of default permissions and user rights for IIS 7.0, IIS 7.5, and IIS 8.0

Article translations Article translations
Article ID: 981949 - View products that this article applies to.
Expand all | Collapse all

On This Page

INTRODUCTION

This article describes the default permissions and user rights that are set on certain folders and files. These folders and files are installed together with Internet Information Services (IIS) 7.0 in Windows Server 2008 and Windows Vista, together with IIS 7.5 in Windows Server 2008 R2 and Windows 7, and together with IIS 8.0 in Windows Server 2012 and Windows 8.

More information

Changes in permissions between IIS 6.0 and IIS 7.0/7.5

In IIS 6.0, a local account (IUSR_MachineName) is created when IIS is installed. The IUSR_MachineName account is the default identity that is used by IIS when Anonymous authentication is enabled. Anonymous authentication is used by both the FTP service and the HTTP service. IIS 6.0 also contains a group that is named IIS_WPG. The IIS_WPG group is used as a container for all application pool identities.

In IIS 7.0, a built-in account (IUSR) replaces the IUSR_MachineName account. Additionally, a group that is named IIS_IUSRS replaces the IIS_WPG group. Because the IUSR account is a built-in account, the IUSR account no longer requires a password. The IUSR account resembles a network or local service account. The IUSR_MachineName account is created and used only when the FTP 6 server that is included on the Windows Server 2008 DVD is installed. If the FTP 6 server is not installed, the account is not created.

Beginning in IIS 7.5, a new security feature is added that is called Application Pool Identities. This feature lets you run Application Pools under a unique account without having to create and manage domain or local accounts. The name of the Application Pool account corresponds to the name of the Application Pool.

For more information about IIS 7.0 accounts and groups, go to the following website:
Understanding built-in user and group accounts in IIS 7

For more information about Application Pool Identities, go to the following website:
Application Pool Identities

Default NTFS file system permissions

The tables in this section list the default NTFS permissions that are assigned to certain folders and files. These folders and files are installed together with IIS 7.0, IIS 7.5, and IIS 8.0.

\inetpub

Collapse this tableExpand this table
Users / groupsAllowed permissionsComments
CREATOR OWNERSpecial permissionsEquivalent to Full control.
Applies to subfolders and files only.
SYSTEMFull control
AdministratorsFull control
UsersRead & execute
List folder contents
Read
TrustedInstallerFull control

\inetpub\AdminScripts

Collapse this tableExpand this table
Users / groupsAllowed permissionsComments
CREATOR OWNERSpecial permissionsEquivalent to Full control.
Applies to subfolders and files only.
SYSTEMFull control
AdministratorsFull control
UsersRead & execute
List folder contents
Read
TrustedInstallerFull control

\inetpub\AdminScripts\0409

Collapse this tableExpand this table
Users / groupsAllowed permissionsComments
CREATOR OWNERSpecial permissionsEquivalent to Full control.
Applies to subfolders and files only.
Inherited from \inetpub\AdminScripts\.
SYSTEMFull controlInherited from \inetpub\AdminScripts\.
AdministratorsFull controlInherited from \inetpub\AdminScripts\.
UsersRead & execute
List folder contents
Read
Inherited from \inetpub\AdminScripts\.
TrustedInstallerFull controlInherited from \inetpub\AdminScripts\.

\inetpub\custerr

Collapse this tableExpand this table
Users / groupsAllowed permissionsComments
CREATOR OWNERSpecial permissionsEquivalent to Full control.
Applies to Subfolders and files only.
Inherited from \inetpub.
SYSTEMFull control
Special permissions
Full control is inherited from \inetpub.
Special Permissions are equivalent to Full control.
Applies to this folder only.
AdministratorsFull control
Special permissions
Full control is inherited from \inetpub.
Equivalent to Full control.
Applies to this folder only.
UsersRead & execute
List folder contents
Read
Special permissions
Permissions are inherited from \inetpub except for special permissions.

Special permissions apply to this folder only, and include the following:

Traverse folder / execute file
List folder / read data
Read attributes
Read extended attributes
Read permissions
TrustedInstallerFull controlInherited from \inetpub.

\inetpub\custerr\en-us

Collapse this tableExpand this table
Users / groupsAllowed permissionsComments
CREATOR OWNERSpecial permissionsEquivalent to Full control.
Applies to subfolders and files only.
Inherited from \inetpub.
SYSTEMFull controlInherited from \inetpub.
AdministratorsFull controlInherited from \inetpub.
UsersRead & execute
List folder contents
Read
Inherited from \inetpub.
TrustedInstallerFull controlInherited from \inetpub.

\inetpub\ftproot

Collapse this tableExpand this table
Users / groupsAllowed permissionsComments
CREATOR OWNERSpecial permissionsEquivalent to Full control.
Applies to subfolders and files only.
Inherited from \inetpub.
SYSTEMFull controlInherited from \inetpub.
AdministratorsFull controlInherited from \inetpub.
UsersRead & execute
List folder contents
Read
Inherited from \inetpub.
TrustedInstallerFull controlInherited from \inetpub.

\inetpub\history and subfolders

Collapse this tableExpand this table
Users / groupsAllowed permissionsComments
SYSTEMFull control
AdministratorsFull control

\inetpub\logs

Collapse this tableExpand this table
Users / groupsAllowed permissionsComments
CREATOR OWNERSpecial permissionsEquivalent to Full control.
Applies to subfolders and files only.
Inherited from \inetpub.
SYSTEMFull controlInherited from \inetpub.
AdministratorsFull controlInherited from \inetpub.
UsersRead & execute
List folder contents
Read
Inherited from \inetpub.
WMSvcList folder contents
TrustedInstallerFull controlInherited from \inetpub.

\inetpub\logs\FailedReqLogFiles

Collapse this tableExpand this table
Users / groupsAllowed permissionsComments
IIS_USRSSpecial permissionsSpecial permissions include the following:

List folder / read data
Create files / write data
Create folders / append data
Write attributes
Write extended attributes
Delete subfolders and files
Delete
SYSTEMFull control
AdministratorsFull control

\inetpub\logs\wmsvc

Collapse this tableExpand this table
Users / groupsAllowed permissionsComments
CREATOR OWNERSpecial permissionsEquivalent to Full control.
Applies to subfolders and files only.
Inherited from \inetpub.
SYSTEMFull controlInherited from \inetpub.
AdministratorsFull controlInherited from \inetpub.
UsersRead & execute
List folder contents
Read
Inherited from \inetpub.
WMSvcModify
Read & execute
List folder contents
Read
Write
List folder contents permission is inherited from \inetpub\logs.
TrustedInstallerFull controlInherited from \inetpub.

\inetpub\temp

Collapse this tableExpand this table
Users / groupsAllowed permissionsComments
CREATOR OWNERSpecial permissionsEquivalent to Full control.
Applies to subfolders and files only.
Inherited from \inetpub.
SYSTEMFull controlInherited from \inetpub.
AdministratorsFull controlInherited from \inetpub.
UsersRead & execute
List folder contents
Read
Inherited from \inetpub.
TrustedInstallerFull controlInherited from \inetpub.

\inetpub\temp\appPools

Collapse this tableExpand this table
Users / groupsAllowed permissionsComments
CREATOR OWNERSpecial permissionsEquivalent to Full control.
Applies to subfolders and files only.
SYSTEMFull control
AdministratorsFull control
IIS_USRSRead & executeInherited from \inetpub.

\inetpub\temp\ASP Compiled Templates

Collapse this tableExpand this table
Users / groupsAllowed permissionsComments
By default, no permissions are assigned to this folder.

\inetpub\temp\IIS Temporary Compressed Files

Collapse this tableExpand this table
Users / groupsAllowed permissionsComments
SYSTEMFull control
AdministratorsFull control
IIS_USRSFull control

\inetpub\wwwroot

Collapse this tableExpand this table
Users / groupsAllowed permissionsComments
CREATOR OWNERSpecial permissionsEquivalent to Full control.
Applies to subfolders and files only.
Inherited from \inetpub.
SYSTEMFull controlInherited from \inetpub.
AdministratorsFull controlInherited from \inetpub.
UsersRead & execute
List folder contents
Read
Inherited from \inetpub.
IIS_USRSRead & execute
TrustedInstallerFull controlInherited from \inetpub.

\inetpub\wwwroot\aspnet_client

Collapse this tableExpand this table
Users / groupsAllowed permissionsComments
EveryoneRead
SYSTEMFull control
AdministratorsFull control
UsersRead & execute
List folder contents
Read

%windir%\system32\inetsrv

Collapse this tableExpand this table
Users / groupsAllowed permissionsComments
CREATOR OWNERSpecial permissionsEquivalent to Full control.
Applies to subfolders and files only.
SYSTEMSpecial permissionsSpecial permissions allowed for the SYSTEM account for this folder only include the following:

Traverse folder / execute file
List folder / read data
Read attributes
Read extended attributes
Create file / write data
Create folders / append data
Write attributes
Write extended attributes
Delete
Read permissions

Special permission allowed for SYSTEM for subfolders and files only is equivalent to Full control.
AdministratorsSpecial permissionsSpecial permissions allowed for the Administrators group for this folder only include the following:

Traverse folder / execute file
List folder / read data
Read attributes
Read extended attributes
Create file / write data
Create folders / append data
Write attributes
Write extended attributes
Delete
Read permissions

Special permission allowed for the Administrators group for subfolders and files only is equivalent to Full control.
UsersRead & execute
List folder contents
Read
TrustedInstallerSpecial permissionsPermissions are equivalent to Full control, and apply to this folder and subfolders.

%windir%\System32\inetsrv\0409

Collapse this tableExpand this table
Users / groupsAllowed permissionsComments
CREATOR OWNERSpecial permissionsEquivalent to Full control.
Applies to subfolders and files only.
Inherited from %windir%\System32\inetsrv.
SYSTEMFull controlInherited from %windir%\System32\inetsrv.
AdministratorsFull controlInherited from %windir%\System32\inetsrv
UsersRead & execute
List folder contents
Read
Inherited from %windir%\System32\inetsrv
TrustedInstallerSpecial permissionsEquivalent to Full control.
Applies to subfolders and files only.
Inherited from %windir%\System32\inetsrv

%windir%\System32\inetsrv\config

Collapse this tableExpand this table
Users / groupsAllowed permissionsComments
CREATOR OWNERSpecial permissionsEquivalent to Full control.
Applies to subfolders and files only.
SYSTEMFull control
AdministratorsFull control
UsersRead & execute
List folder contents
Read
TrustedInstallerFull control
WMSvcRead

%windir%\System32\inetsrv\config\Export

Collapse this tableExpand this table
Users / groupsAllowed permissionsComments
CREATOR OWNERSpecial permissionsEquivalent to Full control.
Applies to subfolders and files only.
SYSTEMFull control
AdministratorsFull control
TrustedInstallerFull control

%windir%\System32\inetsrv\config\schema

Collapse this tableExpand this table
Users / groupsAllowed permissionsComments
CREATOR OWNERSpecial permissionsEquivalent to Full control.
Applies to subfolders and files only.
SYSTEMSpecial permissionsSpecial permissions allowed for the SYSTEM account for this folder only include the following:

Traverse folder / execute file
List folder / read data
Read attributes
Read extended attributes
Create file / write data
Create folders / append data
Write attributes
Write extended attributes
Delete
Read permissions

Special permission allowed for SYSTEM for subfolders and files only is equivalent to Full control.
AdministratorsSpecial permissionsSpecial permissions allowed for the Administrators group for this folder only include the following:

Traverse folder / execute file
List folder / read data
Read attributes
Read extended attributes
Create file / write data
Create folders / append data
Write attributes
Write extended attributes
Delete
Read permissions

Special permission allowed for the Administrators group for subfolders and files only is equivalent to Full control.
UsersRead & execute
List folder contents
Read
TrustedInstallerSpecial permissionsEquivalent to Full control.
Applies to this folder and subfolders.

%windir%\System32\inetsrv\en-us

Collapse this tableExpand this table
Users / groupsAllowed permissionsComments
CREATOR OWNERSpecial permissionsEquivalent to Full control.
Applies to Subfolders and files only.
SYSTEMSpecial permissionsSpecial permissions allowed for the SYSTEM account for this folder only include the following:

Traverse folder / execute file
List folder / read data
Read attributes
Read extended attributes
Create file / write data
Create folders / append data
Write attributes
Write extended attributes
Delete
Read permissions

Special permission allowed for SYSTEM for subfolders and files only is equivalent to Full control.
AdministratorsSpecial permissionsSpecial permissions allowed for the Administrators group for this folder only include the following:

Traverse folder / execute file
List folder / read data
Read attributes
Read extended attributes
Create file / write data
Create folders / append data
Write attributes
Write extended attributes
Delete
Read permissions

Special permission allowed for the Administrators group for subfolders and files only is equivalent to Full control.
UsersRead & execute
List folder contents
Read
TrustedInstallerList folder contents
Special permissions
Equivalent to Full control.
Applies to this folder and subfolders.

%windir%\System32\inetsrv\History

Collapse this tableExpand this table
Users / groupsAllowed permissionsComments
AdministratorsFull control
SYSTEMFull control

%windir%\System32\inetsrv\MetaBack

Collapse this tableExpand this table
Users / groupsAllowed permissionsComments
AdministratorsFull control
SYSTEMFull control

Default registry permissions

The tables in this section list the default registry permissions that are assigned when IIS 7.0, IIS 7.5 or IIS 8.0 is installed. When Read permissions are listed for Users, the following permissions are included:
  • Query Value
  • Enumerate Subkeys
  • Notify
  • Read Control

HKEY_LOCAL_MACHINE\Software\Microsoft\Inetmgr

Collapse this tableExpand this table
Users / groupsAllowed permissionsComments
CREATOR OWNERSpecial permissionsEquivalent to Full control.
Applies to subkeys only.
SYSTEMFull control
AdministratorsFull control
UsersRead

HKEY_LOCAL_MACHINE\Software\Microsoft\InetStp

Collapse this tableExpand this table
Users / groupsAllowed permissionsComments
CREATOR OWNERSpecial permissionsEquivalent to Full control.
Applies to subkeys only.
SYSTEMFull control
AdministratorsFull control
UsersRead

HKEY_LOCAL_MACHINE\Software\Microsoft\W3SVC

Collapse this tableExpand this table
Users / groupsAllowed permissionsComments
CREATOR OWNERSpecial permissionsEquivalent to Full control.
Applies to subkeys only.
SYSTEMFull control
AdministratorsFull control
UsersRead

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\ASP

Collapse this tableExpand this table
Users / groupsAllowed permissionsComments
CREATOR OWNERSpecial permissionsEquivalent to Full control.
Applies to subkeys only.
SYSTEMFull control
AdministratorsFull control
UsersRead

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\ASP.NET

Collapse this tableExpand this table
Users / groupsAllowed permissionsComments
CREATOR OWNERSpecial permissionsEquivalent to Full control.
Applies to subkeys only.
SYSTEMFull control
AdministratorsFull control
UsersRead

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\ASP.NET_2.0.50727

Collapse this tableExpand this table
Users / groupsAllowed permissionsComments
CREATOR OWNERSpecial permissionsEquivalent to Full control.
Applies to subkeys only.
SYSTEMFull control
AdministratorsFull control
UsersRead

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\aspnet_state

Collapse this tableExpand this table
Users / groupsAllowed permissionsComments
CREATOR OWNERSpecial permissionsEquivalent to Full control.
Applies to subkeys only.
SYSTEMFull control
AdministratorsFull control
UsersRead

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\HTTP

Collapse this tableExpand this table
Users / groupsAllowed permissionsComments
CREATOR OWNERSpecial permissionsEquivalent to Full control.
Applies to subkeys only.
SYSTEMFull control
AdministratorsFull control
UsersRead

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\IISAdmin

Collapse this tableExpand this table
Users / groupsAllowed permissionsComments
CREATOR OWNERSpecial permissionsEquivalent to Full control.
Applies to subkeys only.
SYSTEMFull control
AdministratorsFull control
UsersRead

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\W3SVC

Collapse this tableExpand this table
Users / groupsAllowed permissionsComments
CREATOR OWNERSpecial permissionsEquivalent to Full control.
Applies to subkeys only.
SYSTEMFull control
AdministratorsFull control
UsersRead

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\WAS

Collapse this tableExpand this table
Users / groupsAllowed permissionsComments
CREATOR OWNERSpecial permissionsEquivalent to Full control.
Applies to subkeys only.
SYSTEMFull control
AdministratorsFull control
UsersRead
Note The WAS key is for the Windows Process Activation Service. This is a required dependency and is installed together with IIS.

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\WMsvc

Collapse this tableExpand this table
Users / groupsAllowed permissionsComments
CREATOR OWNERSpecial permissionsEquivalent to Full control.
Applies to subkeys only.
SYSTEMFull control
AdministratorsFull control
UsersRead

Default Windows user rights assignments

The table in this section lists the default Local Security policies together with the users, the groups, or the users and groups that are assigned to the policy when IIS 7.0, IIS 7.5 or IIS 8.0 is installed.

Windows user rights that are assigned by local security policy

Collapse this tableExpand this table
Allowed permissionsUsers / groups
Access this computer from the networkEveryone
Administrators
Users
Backup operators
Adjust memory quotas for a processLOCAL SERVICE
NETWORK SERVICE
Administrators
ApplicationPoolIdentity
Allow log on locallyAdministrators
Users
Backup operators
Bypass traverse checkingEveryone
LOCAL SERVICE
NETWORK SERVICE
Administrators
Users
Backup operators
Generate security audit detailsApplicationPoolIdentity
Impersonate a client after authenticationLOCAL SERVICE
NETWORK SERVICE
Administrators
IIS_IUSRS
SERVICE
Log on as a batch jobAdministrators
Backup operators
Performance log users
IIS_IUSRS
Log on as a serviceApplicationPoolIdentity
Replace a process level tokenLOCAL SERVICE
NETWORK SERVICE
ApplicationPoolIdentity

Properties

Article ID: 981949 - Last Review: January 24, 2013 - Revision: 3.0
Applies to
  • Microsoft Internet Information Services 7.0
  • Microsoft Internet Information Services 7.5
  • Microsoft Internet Information Services 8.0
Keywords: 
kbexpertiseinter kbtshoot kbsurveynew kbinfo KB981949

Give Feedback

 

Contact us for more help

Contact us for more help
Connect with Answer Desk for expert help.
Get more support from smallbusiness.support.microsoft.com