This article describes how to configure user and group
access on an intranet in Windows Server 2003.
The World Wide
Web (WWW) and File Transfer Protocol (FTP) services that are included with
Microsoft Internet Information Services (IIS) are fully integrated with Windows Server 2003 user accounts and file access permissions.
to a resource (for example, a file or an HTML page) is performed by the service
on behalf of a Windows user. The service impersonates the user by supplying a
user name and password in the attempt to read or run the resource for the
To run a secure Web server, you must rigorously control
access to Web content. With Windows and IIS security features, you can
effectively control how users access Web content. NTFS files system permissions
control access to physical directories on the server, and Web permissions
control access to virtual directories on the Web site. You can configure Web
permissions for specific Web sites, folders, and files on your server. Unlike
NTFS permissions, which apply only to a specific user or group of users with a
valid Windows account, Web server permissions apply to all users who access
your Web site regardless of their specific access rights.
Web server permissions combined with Windows NTFS permissions, you can control
how users access your Web content on multiple levels, from the whole Web site
to individual files.
How to Set NTFS Permissions for a File or Folder
To set NTFS permissions for a file or folder:
Start Windows Explorer, and then locate the file or folder
that you want to set permissions for.
Right-click the file or folder, click Properties, and then click the Security tab.
To configure permissions for a new user or group, click Add. In the Select Users, Computers, or Groups
dialog box, type the name of the user or group that you want to set permissions
for, click Check Names to verify the name, and then click OK.
To permit or deny a permission in the Permissions
for User or Group list, click the user or
group in the Group or user names list, and then click to
select the Allow or Deny check box next to the permission that you want to permit or deny.
Or, to remove the group or user, click the user or group in the
Group or user names list, and then click Remove.
How to Set Permissions for Web Content
To set permissions for Web content:
Start IIS, or open the Microsoft Management Console (MMC)
that contains the IIS snap-in.
Expand ServerName, where ServerName is the name of the
server, and then expand Web Sites.
Right-click the Web site, virtual directory, directory, or
file that you want to set permissions for, and then click Properties.
Click the Home Directory, Virtual Directory, Directory, or File tab (as appropriate).
Click to select or click to clear any of the following
check boxes (if present), as appropriate to the level of Web permissions that
you want to set:
Script Source Access: To permit users to access source code, select this option.
Script Source Access includes source code for scripts, such as scripts in
Active Server Pages (ASP)-based programs. Note that this option is available
only if either Read or Write permissions are selected.
NOTE: When you select Script Source Access, users may be able to view sensitive information, such as a user
name and password, from scripts in an ASP program. They can also change source
code that runs on your server, which can seriously affect the security and
performance of your server. It is best to handle access to these types of
information and functions through individual Windows accounts and higher-level
authentication, such as integrated Windows authentication.
Read: To permit users to view or download files or folders and their
associated properties, select this option. The Read permissions option is
selected by default.
Write: To permit users to upload files and their associated properties
to the enabled folder on your server, or to change the content or properties of
a Write-enabled file, select this option.
Directory browsing: To permit users to
view a hypertext listing of the files and subfolders in this virtual directory,
select this option. Note that virtual directories do not appear in directory
listings; users must know the alias of a particular virtual directory.
NOTE: An "Access Forbidden" error message is displayed by your Web
server in a user's Web browser if the user tries to access a file or folder on
your server when both of the following conditions are true:
Directory browsing is disabled.
The user does not specify a file name, such as
Filename.htm in the Uniform Resource Locator
Log visits: To record visits to this
folder in a log file, select this option. A log entry is recorded only if
logging is enabled for the Web site.
Index this resource: To permit
Microsoft Indexing Service to include this folder in a full-text index of the
Web site, use this option. This permits users to perform queries on this
Click OK, and then quit IIS Manager, or close the IIS snap-in.
When you try to change security properties for a Web site
or virtual directory, IIS checks the existing settings on the child nodes (virtual directories and files) that are contained in that Web
site or virtual directory. If the permissions set at the lower levels are
different, IIS displays an Inheritance Overrides dialog box. To specify which child nodes should inherit the
permissions that you set at the higher level, click the node or nodes in the Child Nodes list, and then click OK. The child node or nodes inherit the new permissions
If Web permissions and NTFS permissions differ for a folder
or a file, the more restrictive of the two settings is used. For example, if
you assign a folder Write permissions in IIS, and you grant a particular user
group Read permissions in NTFS, those users cannot write files to the folder
because the Read permissions setting is more restrictive.
If you disable Web server permissions (for example, Read
permissions) on a resource, all users are restricted from viewing that
resource, regardless of the NTFS permissions setting that is applied to those
users' accounts. If you enable Web server permissions (for example, Read
permissions) on a resource, all users can view that resource, unless NTFS
permissions that restrict access to it are also applied.
How To Configure Security for
Files and Folders on a Network in Windows Server 2003
For additional information about access control in IIS, see
the "Access Control" section in IIS Help. To do this, start IIS Manager, or
open the MMC that contains the IIS snap-in. In the console tree, right-click Internet Information Services, and then click Help. Click the Contents tab, expand Internet Information Services, expand Server Administration Guide, expand Security, and then click Access Control.