You are currently offline, waiting for your internet to reconnect

ACLs and using MetaACL for metabase ACL permission changes

This article was previously published under Q326902
Important This article contains information about editing the metabase. Before you edit the metabase, verify that you have a backup copy that you can restore if a problem occurs. For information about how to do this, see the "Configuration Backup/Restore" Help topic in Microsoft Management Console (MMC).
SUMMARY
This article describes how Access Control Lists (ACLs) work in the Microsoft Internet Information Server (IIS) 4.0 or Microsoft Internet Information Services (IIS) 5.0 metabase. The metabase is not only protected by the operating system ACLs on the particular file (Metabase.bin), but the file also has ACL protection in the directory itself.

Note The Metabase.bin file is a fully compliant X.500 Lightweight Directory Access Protocol (LDAP) directory and is governed by permissions in a Parent\Child relationship. Therefore, ACLs are applied recursively up the directory until the root is reached.

This article also describes the role of ACLs in the IIS metabase, how to edit ACLs, and the default ACLs for IIS 4.0 and IIS 5.0.
MORE INFORMATION

Access Control Lists

Introduction

In the metabase, ACLs limit the access of certain user accounts to certain keys in the Metabase.bin directory. Two types of permissions are granted with ACLs:
  • ACCESS_ALLOWED_ACE
  • ACCESS_DENIED_ACE
Microsoft recommends that you only use ACCESS_ALLOWED_ACE because Microsoft does not extensively test ACCESS_DENIED_ACE.

Because all ACL information is stored in the metabase itself in the MD_ADMIN_ACL property, you can view the information with typical metabase viewing tools such as Adsutil and Mdutil.

Available rights

When you modify metabase ACLs, the following rights are available:
  • MD_ACR_UNSECURE_PROPS_READ: Gives a user read-only access to any nonsecure property.
  • MD_ACR_READ: Gives a user read rights to any secure or nonsecure property.
  • MD_ACR_ENUM_KEYS: Gives a user the right to enumerate all names of any child nodes.
  • MD_ACR_WRITE_DAC: Gives a user the right to write or create an AdminACL property at the corresponding node.
  • MD_ACR_WRITE: Gives a user the right to modify (including add or set) properties except restricted properties. For more information, see the section about restricted properties by platform.
  • MD_ACR_RESTRICTED_WRITE: Gives a user the right to modify any property that is currently set to Administrator only. This permission gives full control to that key to a user.

Editing ACLs

Warning If you edit the metabase incorrectly, you can cause serious problems that may require you to reinstall any product that uses the metabase. Microsoft cannot guarantee that problems that result if you incorrectly edit the metabase can be solved. Edit the metabase at your own risk.

Note Always back up the metabase before you edit it.

To edit the ACLs, you use a utility that is named Metaacl.vbs. For more information, click the following article number to view the article in the Microsoft Knowledge Base:
267904 Metaacl.exe modifying metabase permissions for the IIS Admin Objects
This example modifies the w3svc key to deny access for the administrators.

Warning Doing this on a production system can be extremely dangerous and cause IIS to fail to function as designed. This example only steps through the editing process for demonstration purposes.
  1. Copy the Metaacl.vbs file to the %systemdrive%\Inetpub\Adminscripts directory.
  2. Click Start, click Run, type CMD, and then click Run to open a command prompt.
  3. At the prompt, run the following command to change to the Adminscripts directory:
    c:\cd Inetpub\Adminscripts					
  4. To modify the parameters located at IIS://LOCALHOST/W3SVC, run the following command:
    c:\Inetpub\Adminscripts>cscript metaacl.vbs IIS://LOCALHOST/W3SVC mydomain\mydomainaccount RW					
    You receive the following response:
    ACE for mydomain\mydomainaccount added.
You can use Metaacl.vbs to add the following rights for any user:
  • R - Read
  • W - Write
  • S - Restricted Write
  • U - Unsecure Properties Read
  • E - Enumerate Keys
  • D - Write DACL (permissions)

ACLs by server platform

IIS 4.0

  • Default ACLsThe following list describes the default ACLs that are put in the Metabase.bin directory when IIS 4.0 is installed:
    LM -   W3SVC      BUILTIN\Administrators        Access: RWSUED      Everyone        Access:     E   MSFTPSVC      BUILTIN\Administrators        Access: RWSUED      Everyone        Access:     E   SMTPSVC        BUILTIN\Administrators        Access: RWSUED      Everyone        Access:     E   NNTPSVC      BUILTIN\Administrators        Access: RWSUED      Everyone        Access:     E					
  • Restricted ACLsThe following list describes the metabase key properties that are marked as restricted on default installations of IIS 4.0:
    MD_ADMIN_ACLMD_APP_ISOLATEDMD_VR_PATHMD_ACCESS_PERMMD_ANONYMOUS_USER_NAMEMD_ANONYMOUS_PWDMD_MAX_BANDWIDTHMD_MAX_BANDWIDTH_BLOCKEDMD_ISM_ACCESS_CHECKMD_FILTER_LOAD_ORDERMD_FILTER_STATEMD_FILTER_ENABLEDMD_FILTER_DESCRIPTIONMD_FILTER_FLAGSMD_FILTER_IMAGE_PATHMD_SECURE_BINDINGSMD_SERVER_BINDINGS					

IIS 5.0

  • Default ACLsThe following list describes the default ACLs that are put in the Metabase.bin directory when IIS 5.0 is installed:
    LM -    W3SVC      BUILTIN\Administrators        Access: RWSUED      Everyone        Access:     E       {IISMachineName}\VS Developers        Access: RWSUE    MSFTPSVC      BUILTIN\Administrators        Access: RWSUED      Everyone        Access:     E   SMTPSVC      BUILTIN\Administrators        Access: RWSUED      Everyone        Access:     E    NNTPSVC      BUILTIN\Administrators        Access: RWSUED      Everyone        Access:     E 					
  • Restricted ACLsThe following list describes the metabase key properties that are marked as restricted on default installations of IIS 5.0:
    MD_ADMIN_ACLMD_APP_ISOLATEDMD_VR_PATHMD_ACCESS_PERMMD_ANONYMOUS_USER_NAMEMD_ANONYMOUS_PWDMD_MAX_BANDWIDTHMD_MAX_BANDWIDTH_BLOCKEDMD_ISM_ACCESS_CHECKMD_FILTER_LOAD_ORDERMD_FILTER_STATEMD_FILTER_ENABLEDMD_FILTER_DESCRIPTIONMD_FILTER_FLAGSMD_FILTER_IMAGE_PATHMD_SECURE_BINDINGSMD_SERVER_BINDINGS					

IIS 6.0

  • Default ACLsThe following list describes the default ACLs that are put in the Metabase.xml directory when IIS 6.0 is installed:
    LM –      W3SVC         NT AUTHORITY\LOCAL SERVICE 	  Access: R UE 	NT AUTHORITY\NETWORK SERVICE 	  Access: R UE 	{computername}\IIS_WPG            Access: R UE         BUILTIN\Administrators            Access: RWSUED        {computername}\ASPNET           Access: R   E      W3SVC/Filters        NT AUTHORITY\LOCAL SERVICE           Access: RW UE        NT AUTHORITY\NETWORK SERVIC           Access: RW UE        {computername}\IIS_WPG           Access: RW UE        BUILTIN\Administrators           Access: RWSUED     W3SVC/1/Filters        NT AUTHORITY\LOCAL SERVICE           Access: RW UE        NT AUTHORITY\NETWORK SERVIC           Access: RW UE        {computername}\IIS_WPG           Access: RW UE        BUILTIN\Administrators           Access: RWSUED     W3SVC/AppPools        NT AUTHORITY\LOCAL SERVICE           Access:    U        NT AUTHORITY\NETWORK SERVICE           Access:    U       {computername}\IIS_WPG           Access:    U        BUILTIN\Administrators           Access: RWSUED     W3SVC/INFO        BUILTIN\Administrators           Access: RWSUED     MSFTPSVC         BUILTIN\Administrators            Access: RWSUED      SMTPSVC         BUILTIN\Administrators           Access: RWSUED        NT AUTHORITY\LOCAL SERVICE           Access:    UE        NT AUTHORITY\NETWORK SERVICE           Access:    UE     NNTPSVC        BUILTIN\Administrators           Access: RWSUED        NT AUTHORITY\LOCAL SERVICE           Access:    UE        NT AUTHORITY\NETWORK SERVICE           Access:    UE     Logging        BUILTIN\Administrators           Access: RWSUED 						
  • Restricted ACLsThe following list describes the metabase key properties that are marked as restricted on default installations of IIS 6.0:
    MD_ADMIN_ACLMD_VPROP_ADMIN_ACL_RAW_BINARYMD_APPPOOL_ORPHAN_ACTION_EXEMD_APPPOOL_ORPHAN_ACTION_PARAMSMD_APPPOOL_AUTO_SHUTDOWN_EXEMD_APPPOOL_AUTO_SHUTDOWN_PARAMSMD_APPPOOL_IDENTITY_TYPEMD_APP_APPPOOL_IDMD_APP_ISOLATEDMD_VR_PATHMD_ACCESS_PERMMD_VR_USERNAMEMD_VR_PASSWORDMD_ANONYMOUS_USER_NAMEMD_ANONYMOUS_PWDMD_LOGSQL_USER_NAMEMD_LOGSQL_PASSWORDMD_WAM_USER_NAMEMD_WAM_PWDMD_AD_CONNECTIONS_USERNAMEMD_AD_CONNECTIONS_PASSWORDMD_MAX_BANDWIDTHMD_MAX_BANDWIDTH_BLOCKEDMD_ISM_ACCESS_CHECKMD_FILTER_LOAD_ORDERMD_FILTER_ENABLEDMD_FILTER_IMAGE_PATHMD_SECURE_BINDINGSMD_SERVER_BINDINGSMD_ASP_ENABLECLIENTDEBUGMD_ASP_ENABLESERVERDEBUGMD_ASP_ENABLEPARENTPATHSMD_ASP_ERRORSTONTLOGMD_ASP_KEEPSESSIONIDSECUREMD_ASP_LOGERRORREQUESTSMD_ASP_DISKTEMPLATECACHEDIRECTORY36948 RouteUserName36949 RoutePassword36958 SmtpDsPassword41191 Pop3DsPassword45461 FeedAccountName45462 FeedPassword49384 ImapDsPassword						
Properties

Article ID: 326902 - Last Review: 12/03/2007 21:24:35 - Revision: 6.6

Microsoft Internet Information Services 6.0, Microsoft Internet Information Services 5.0, Microsoft Windows NT version 4.0 Option Pack

  • kbhowtomaster kbinfo KB326902
Feedback