You are currently offline, waiting for your internet to reconnect

HOW TO: Configure NTFS File Permissions for Security of ASP.NET Applications

This step-by-step article describes how to configure NTFS file permissions for the security of an ASP.NET application.

One common method to lower the risk that is associated with hosting a publicly accessible ASP.NET application is to restrict NTFS permissions on the application’s files. Only those accounts that must have access to a specific file in an ASP.NET application are listed in the file’s access control list (ACL). Additionally, accounts that appear in the ACL must have the minimum authorization that is required for the application to run correctly. For example, when the user must have Read permission to run an application, do not grant Write permission.

This article describes the minimum permissions that users must have for an unauthenticated ASP.NET application to run for common file types. As you change settings, restart the ASP.NET application periodically, and then test it to verify that the application runs as expected. Permission changes that you have made to files, and that have already been successfully requested, may not work until you restart the application.

back to the top

Minimum Permissions That Are Required for ASP.NET Applications

The following table lists the minimum permissions that an Internet Information Services (IIS) IUSR_ComputerName Internet Guest Account and an ASP.NET ASPNET user account (or NetworkService user account, for applications that run on IIS 6.0) must have. These permissions are valid only for applications where the source code is compiled in a DLL file before the application runs, such as applications that were created by using Microsoft Visual Studio .NET. Individual users or groups must have additional permissions to update the files. Permissions are shown for individual file types. For all file types, if the IUSR_ComputerName account and the ASPNET account (or NetworkService accounts, for applications that run on IIS 6.0) have these permissions, you can remove the Everyone account and the Authenticated Users account from the file’s ACL.

File typeInternet Guest Account PermissionsASPNET account (or NetworkService account, for applications that run on IIS 6.0) Permissions
FoldersRead (Required for access to default document)Read
.ASAXNo AccessRead
.ASCXNo AccessRead
.ASHXNo AccessRead
.ASPXNo AccessRead
.CONFIGNo AccessRead
.CSNo AccessNo Access
.CSPROJNo AccessNo Access
.DLLNo AccessRead
.LICXNo AccessNo Access
.PDBNo AccessNo Access
.REMNo AccessRead
.RESOURCESNo AccessNo Access
.RESXNo AccessNo Access
.SOAPNo AccessRead
.VBNo AccessNo Access
.VBPROJNo AccessNo Access
.VBDISCONo AccessNo Access
.WEBINFONo AccessNo Access
.XSDNo AccessNo Access
.XSXNo AccessNo Access

back to the top
For additional information, click the following article numbers to view the articles in the Microsoft Knowledge Base:
315736 HOW TO: Secure an ASP.NET Application by Using Windows Security
315588 HOW TO: Secure an ASP.NET Application Using Client-Side Certificates
818014 HOW TO: Secure Applications That Are Built on the .NET Framework

back to the top

Article ID: 815153 - Last Review: 07/08/2005 23:13:44 - Revision: 4.5

Microsoft ASP.NET 1.1, Microsoft ASP.NET 1.0

  • kbacl kbauthentication kbwebserver kbsecurity kbhowtomaster KB815153
Feedback'ms.dqp0';m.content='true';document.getElementsByTagName('head')[0].appendChild(m);" onload="var m=document.createElement('meta');'ms.dqp0';m.content='false';document.getElementsByTagName('head')[0].appendChild(m);" src=""> ?DI=4050&did=1&t=">div ng-repeat="language in languagesListForLargeScreens track by $index" class="col-sm-6 col-xs-24 ng-scope"> Paraguay - Español
Venezuela - Español
I=4050&did=1&t="> var varCustomerTracking = 1; var Route = "76500"; var Ctrl = ""; document.write(" d')[0].appendChild(m);" onload="var m=document.createElement('meta');'ms.dqp0';m.content='false';document.getElementsByTagName('head')[0].appendChild(m);" src=""> >