HOW TO: Set IIS Permissions for Specific Objects


This article describes how to migrate UNIX permissions to the IIS permission system and how to set IIS permissions for a Web site, a folder, or file.

Translating UNIX/Apache Permissions to IIS

When you use Apache, the underlying permissions of the UNIX file system and the owner or group that the Apache server is being run under affect the objects that you can access and the scripts that you can run. However, when you use Windows, Internet Information Services (IIS) can access any file in the tree of the home folder for a configured Web site (in this respect, it operates as an Administrator account). The underlying Windows permissions for a folder or file are ignored. Instead, a separate mechanism in IIS allows you to control and limit the types of access that the client computer has to specific objects.

The Read permission in IIS is similar to the Read permission bit for files in Apache/UNIX. The Write permission in IIS is used only when you are using Active Server Page (ASP) scripts or Web Distributed Authoring and Versioning (WebDAV) to provide update functionality for a file; therefore, this permission is similar to the Write permission in Apache/UNIX for WebDAV only. The Execute permission in UNIX that is combined with the AddHandler directive indicates to Apache that a particular file is a script that should be run and not returned as a raw file. In IIS, Execute permissions are granted on a Web site basis or a folder basis only; you cannot enable or disable individual files as scripts in this way. However, the extension/handler combination does apply. You grant Execute permissions for a folder, and then associate an extension with a specific scripting engine.

This behavior has limitations. For example, you cannot use a blanket .cgi file name extension and rely on the UNIX header line to select the corresponding scripting language. This limitation may cause problems during migration. In this situation, you can associate the .pl file name extension for Perl scripts the .py file name extension for Python scripts.

Setting IIS Permissions for an Object

You can set permissions for any object in IIS, including Web sites, folders, files, and scripts. To set the permissions for an object in IIS:
  1. Log on to the Web server computer as an administrator.
  2. Click Start, point to Settings, and then click Control Panel.
  3. Double-click Administrative Tools, and then double-click Internet Services Manager.
  4. Right-click the Web site that you want to configure in the left pane, and then click Properties.
  5. If you want to set the permissions for a Web site's home folder, click the Home Directory tab.
  6. If you want to set the permissions for a folder in a Web site, click the Directory tab.
  7. If you want to set the permissions for a file or a script in a folder, click the File tab.
  8. Click the corresponding permissions that you want to set for the object.
  9. To turn on script processing for a Web site or folder, click Scripts Only from the Execute permissions list.

    To turn off script processing, click None.
  10. Click OK.


For additional information about securing IIS for a migration from UNIX to Windows, click the article number below to view the article in the Microsoft Knowledge Base:

324216 HOW TO: Secure IIS in a UNIX-to-Windows Migration