You are currently offline, waiting for your internet to reconnect

Description of default permissions and user rights for IIS 7.0, IIS 7.5, and IIS 8.0

INTRODUCTION
This article describes the default permissions and user rights that are set on certain folders and files. These folders and files are installed together with Internet Information Services (IIS) 7.0 in Windows Server 2008 and Windows Vista, together with IIS 7.5 in Windows Server 2008 R2 and Windows 7, and together with IIS 8.0 in Windows Server 2012 and Windows 8.
More information

Changes in permissions between IIS 6.0 and IIS 7.0/7.5

In IIS 6.0, a local account (IUSR_MachineName) is created when IIS is installed. The IUSR_MachineName account is the default identity that is used by IIS when Anonymous authentication is enabled. Anonymous authentication is used by both the FTP service and the HTTP service. IIS 6.0 also contains a group that is named IIS_WPG. The IIS_WPG group is used as a container for all application pool identities.

In IIS 7.0, a built-in account (IUSR) replaces the IUSR_MachineName account. Additionally, a group that is named IIS_IUSRS replaces the IIS_WPG group. Because the IUSR account is a built-in account, the IUSR account no longer requires a password. The IUSR account resembles a network or local service account. The IUSR_MachineName account is created and used only when the FTP 6 server that is included on the Windows Server 2008 DVD is installed. If the FTP 6 server is not installed, the account is not created.

Beginning in IIS 7.5, a new security feature is added that is called Application Pool Identities. This feature lets you run Application Pools under a unique account without having to create and manage domain or local accounts. The name of the Application Pool account corresponds to the name of the Application Pool.

For more information about IIS 7.0 accounts and groups, go to the following website:
For more information about Application Pool Identities, go to the following website:

Default NTFS file system permissions

The tables in this section list the default NTFS permissions that are assigned to certain folders and files. These folders and files are installed together with IIS 7.0, IIS 7.5, and IIS 8.0.

\inetpub

Users / groupsAllowed permissionsComments
CREATOR OWNERSpecial permissionsEquivalent to Full control.
Applies to subfolders and files only.
SYSTEMFull control
AdministratorsFull control
UsersRead & execute
List folder contents
Read
TrustedInstallerFull control

\inetpub\AdminScripts

Users / groupsAllowed permissionsComments
CREATOR OWNERSpecial permissionsEquivalent to Full control.
Applies to subfolders and files only.
SYSTEMFull control
AdministratorsFull control
UsersRead & execute
List folder contents
Read
TrustedInstallerFull control

\inetpub\AdminScripts\0409

Users / groupsAllowed permissionsComments
CREATOR OWNERSpecial permissionsEquivalent to Full control.
Applies to subfolders and files only.
Inherited from \inetpub\AdminScripts\.
SYSTEMFull controlInherited from \inetpub\AdminScripts\.
AdministratorsFull controlInherited from \inetpub\AdminScripts\.
UsersRead & execute
List folder contents
Read
Inherited from \inetpub\AdminScripts\.
TrustedInstallerFull controlInherited from \inetpub\AdminScripts\.

\inetpub\custerr

Users / groupsAllowed permissionsComments
CREATOR OWNERSpecial permissionsEquivalent to Full control.
Applies to Subfolders and files only.
Inherited from \inetpub.
SYSTEMFull control
Special permissions
Full control is inherited from \inetpub.
Special Permissions are equivalent to Full control.
Applies to this folder only.
AdministratorsFull control
Special permissions
Full control is inherited from \inetpub.
Equivalent to Full control.
Applies to this folder only.
UsersRead & execute
List folder contents
Read
Special permissions
Permissions are inherited from \inetpub except for special permissions.

Special permissions apply to this folder only, and include the following:

Traverse folder / execute file
List folder / read data
Read attributes
Read extended attributes
Read permissions
TrustedInstallerFull controlInherited from \inetpub.

\inetpub\custerr\en-us

Users / groupsAllowed permissionsComments
CREATOR OWNERSpecial permissionsEquivalent to Full control.
Applies to subfolders and files only.
Inherited from \inetpub.
SYSTEMFull controlInherited from \inetpub.
AdministratorsFull controlInherited from \inetpub.
UsersRead & execute
List folder contents
Read
Inherited from \inetpub.
TrustedInstallerFull controlInherited from \inetpub.

\inetpub\ftproot

Users / groupsAllowed permissionsComments
CREATOR OWNERSpecial permissionsEquivalent to Full control.
Applies to subfolders and files only.
Inherited from \inetpub.
SYSTEMFull controlInherited from \inetpub.
AdministratorsFull controlInherited from \inetpub.
UsersRead & execute
List folder contents
Read
Inherited from \inetpub.
TrustedInstallerFull controlInherited from \inetpub.

\inetpub\history and subfolders

Users / groupsAllowed permissionsComments
SYSTEMFull control
AdministratorsFull control

\inetpub\logs

Users / groupsAllowed permissionsComments
CREATOR OWNERSpecial permissionsEquivalent to Full control.
Applies to subfolders and files only.
Inherited from \inetpub.
SYSTEMFull controlInherited from \inetpub.
AdministratorsFull controlInherited from \inetpub.
UsersRead & execute
List folder contents
Read
Inherited from \inetpub.
WMSvcList folder contents
TrustedInstallerFull controlInherited from \inetpub.

\inetpub\logs\FailedReqLogFiles

Users / groupsAllowed permissionsComments
IIS_USRSSpecial permissionsSpecial permissions include the following:

List folder / read data
Create files / write data
Create folders / append data
Write attributes
Write extended attributes
Delete subfolders and files
Delete
SYSTEMFull control
AdministratorsFull control

\inetpub\logs\wmsvc

Users / groupsAllowed permissionsComments
CREATOR OWNERSpecial permissionsEquivalent to Full control.
Applies to subfolders and files only.
Inherited from \inetpub.
SYSTEMFull controlInherited from \inetpub.
AdministratorsFull controlInherited from \inetpub.
UsersRead & execute
List folder contents
Read
Inherited from \inetpub.
WMSvcModify
Read & execute
List folder contents
Read
Write
List folder contents permission is inherited from \inetpub\logs.
TrustedInstallerFull controlInherited from \inetpub.

\inetpub\temp

Users / groupsAllowed permissionsComments
CREATOR OWNERSpecial permissionsEquivalent to Full control.
Applies to subfolders and files only.
Inherited from \inetpub.
SYSTEMFull controlInherited from \inetpub.
AdministratorsFull controlInherited from \inetpub.
UsersRead & execute
List folder contents
Read
Inherited from \inetpub.
TrustedInstallerFull controlInherited from \inetpub.

\inetpub\temp\appPools

Users / groupsAllowed permissionsComments
CREATOR OWNERSpecial permissionsEquivalent to Full control.
Applies to subfolders and files only.
SYSTEMFull control
AdministratorsFull control
IIS_USRSRead & executeInherited from \inetpub.

\inetpub\temp\ASP Compiled Templates

Users / groupsAllowed permissionsComments
By default, no permissions are assigned to this folder.

\inetpub\temp\IIS Temporary Compressed Files

Users / groupsAllowed permissionsComments
SYSTEMFull control
AdministratorsFull control
IIS_USRSFull control

\inetpub\wwwroot

Users / groupsAllowed permissionsComments
CREATOR OWNERSpecial permissionsEquivalent to Full control.
Applies to subfolders and files only.
Inherited from \inetpub.
SYSTEMFull controlInherited from \inetpub.
AdministratorsFull controlInherited from \inetpub.
UsersRead & execute
List folder contents
Read
Inherited from \inetpub.
IIS_USRSRead & execute
TrustedInstallerFull controlInherited from \inetpub.

\inetpub\wwwroot\aspnet_client

Users / groupsAllowed permissionsComments
EveryoneRead
SYSTEMFull control
AdministratorsFull control
UsersRead & execute
List folder contents
Read

%windir%\system32\inetsrv

Users / groupsAllowed permissionsComments
CREATOR OWNERSpecial permissionsEquivalent to Full control.
Applies to subfolders and files only.
SYSTEMSpecial permissionsSpecial permissions allowed for the SYSTEM account for this folder only include the following:

Traverse folder / execute file
List folder / read data
Read attributes
Read extended attributes
Create file / write data
Create folders / append data
Write attributes
Write extended attributes
Delete
Read permissions

Special permission allowed for SYSTEM for subfolders and files only is equivalent to Full control.
AdministratorsSpecial permissionsSpecial permissions allowed for the Administrators group for this folder only include the following:

Traverse folder / execute file
List folder / read data
Read attributes
Read extended attributes
Create file / write data
Create folders / append data
Write attributes
Write extended attributes
Delete
Read permissions

Special permission allowed for the Administrators group for subfolders and files only is equivalent to Full control.
UsersRead & execute
List folder contents
Read
TrustedInstallerSpecial permissionsPermissions are equivalent to Full control, and apply to this folder and subfolders.

%windir%\System32\inetsrv\0409

Users / groupsAllowed permissionsComments
CREATOR OWNERSpecial permissionsEquivalent to Full control.
Applies to subfolders and files only.
Inherited from %windir%\System32\inetsrv.
SYSTEMFull controlInherited from %windir%\System32\inetsrv.
AdministratorsFull controlInherited from %windir%\System32\inetsrv
UsersRead & execute
List folder contents
Read
Inherited from %windir%\System32\inetsrv
TrustedInstallerSpecial permissionsEquivalent to Full control.
Applies to subfolders and files only.
Inherited from %windir%\System32\inetsrv

%windir%\System32\inetsrv\config

Users / groupsAllowed permissionsComments
CREATOR OWNERSpecial permissionsEquivalent to Full control.
Applies to subfolders and files only.
SYSTEMFull control
AdministratorsFull control
UsersRead & execute
List folder contents
Read
TrustedInstallerFull control
WMSvcRead

%windir%\System32\inetsrv\config\Export

Users / groupsAllowed permissionsComments
CREATOR OWNERSpecial permissionsEquivalent to Full control.
Applies to subfolders and files only.
SYSTEMFull control
AdministratorsFull control
TrustedInstallerFull control

%windir%\System32\inetsrv\config\schema

Users / groupsAllowed permissionsComments
CREATOR OWNERSpecial permissionsEquivalent to Full control.
Applies to subfolders and files only.
SYSTEMSpecial permissionsSpecial permissions allowed for the SYSTEM account for this folder only include the following:

Traverse folder / execute file
List folder / read data
Read attributes
Read extended attributes
Create file / write data
Create folders / append data
Write attributes
Write extended attributes
Delete
Read permissions

Special permission allowed for SYSTEM for subfolders and files only is equivalent to Full control.
AdministratorsSpecial permissionsSpecial permissions allowed for the Administrators group for this folder only include the following:

Traverse folder / execute file
List folder / read data
Read attributes
Read extended attributes
Create file / write data
Create folders / append data
Write attributes
Write extended attributes
Delete
Read permissions

Special permission allowed for the Administrators group for subfolders and files only is equivalent to Full control.
UsersRead & execute
List folder contents
Read
TrustedInstallerSpecial permissionsEquivalent to Full control.
Applies to this folder and subfolders.

%windir%\System32\inetsrv\en-us

Users / groupsAllowed permissionsComments
CREATOR OWNERSpecial permissionsEquivalent to Full control.
Applies to Subfolders and files only.
SYSTEMSpecial permissionsSpecial permissions allowed for the SYSTEM account for this folder only include the following:

Traverse folder / execute file
List folder / read data
Read attributes
Read extended attributes
Create file / write data
Create folders / append data
Write attributes
Write extended attributes
Delete
Read permissions

Special permission allowed for SYSTEM for subfolders and files only is equivalent to Full control.
AdministratorsSpecial permissionsSpecial permissions allowed for the Administrators group for this folder only include the following:

Traverse folder / execute file
List folder / read data
Read attributes
Read extended attributes
Create file / write data
Create folders / append data
Write attributes
Write extended attributes
Delete
Read permissions

Special permission allowed for the Administrators group for subfolders and files only is equivalent to Full control.
UsersRead & execute
List folder contents
Read
TrustedInstallerList folder contents
Special permissions
Equivalent to Full control.
Applies to this folder and subfolders.

%windir%\System32\inetsrv\History

Users / groupsAllowed permissionsComments
AdministratorsFull control
SYSTEMFull control

%windir%\System32\inetsrv\MetaBack

Users / groupsAllowed permissionsComments
AdministratorsFull control
SYSTEMFull control

Default registry permissions

The tables in this section list the default registry permissions that are assigned when IIS 7.0, IIS 7.5 or IIS 8.0 is installed. When Read permissions are listed for Users, the following permissions are included:
  • Query Value
  • Enumerate Subkeys
  • Notify
  • Read Control

HKEY_LOCAL_MACHINE\Software\Microsoft\Inetmgr

Users / groupsAllowed permissionsComments
CREATOR OWNERSpecial permissionsEquivalent to Full control.
Applies to subkeys only.
SYSTEMFull control
AdministratorsFull control
UsersRead

HKEY_LOCAL_MACHINE\Software\Microsoft\InetStp

Users / groupsAllowed permissionsComments
CREATOR OWNERSpecial permissionsEquivalent to Full control.
Applies to subkeys only.
SYSTEMFull control
AdministratorsFull control
UsersRead

HKEY_LOCAL_MACHINE\Software\Microsoft\W3SVC

Users / groupsAllowed permissionsComments
CREATOR OWNERSpecial permissionsEquivalent to Full control.
Applies to subkeys only.
SYSTEMFull control
AdministratorsFull control
UsersRead

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\ASP

Users / groupsAllowed permissionsComments
CREATOR OWNERSpecial permissionsEquivalent to Full control.
Applies to subkeys only.
SYSTEMFull control
AdministratorsFull control
UsersRead

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\ASP.NET

Users / groupsAllowed permissionsComments
CREATOR OWNERSpecial permissionsEquivalent to Full control.
Applies to subkeys only.
SYSTEMFull control
AdministratorsFull control
UsersRead

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\ASP.NET_2.0.50727

Users / groupsAllowed permissionsComments
CREATOR OWNERSpecial permissionsEquivalent to Full control.
Applies to subkeys only.
SYSTEMFull control
AdministratorsFull control
UsersRead

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\aspnet_state

Users / groupsAllowed permissionsComments
CREATOR OWNERSpecial permissionsEquivalent to Full control.
Applies to subkeys only.
SYSTEMFull control
AdministratorsFull control
UsersRead

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\HTTP

Users / groupsAllowed permissionsComments
CREATOR OWNERSpecial permissionsEquivalent to Full control.
Applies to subkeys only.
SYSTEMFull control
AdministratorsFull control
UsersRead

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\IISAdmin

Users / groupsAllowed permissionsComments
CREATOR OWNERSpecial permissionsEquivalent to Full control.
Applies to subkeys only.
SYSTEMFull control
AdministratorsFull control
UsersRead

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\W3SVC

Users / groupsAllowed permissionsComments
CREATOR OWNERSpecial permissionsEquivalent to Full control.
Applies to subkeys only.
SYSTEMFull control
AdministratorsFull control
UsersRead

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\WAS

Users / groupsAllowed permissionsComments
CREATOR OWNERSpecial permissionsEquivalent to Full control.
Applies to subkeys only.
SYSTEMFull control
AdministratorsFull control
UsersRead
Note The WAS key is for the Windows Process Activation Service. This is a required dependency and is installed together with IIS.

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\WMsvc

Users / groupsAllowed permissionsComments
CREATOR OWNERSpecial permissionsEquivalent to Full control.
Applies to subkeys only.
SYSTEMFull control
AdministratorsFull control
UsersRead

Default Windows user rights assignments

The table in this section lists the default Local Security policies together with the users, the groups, or the users and groups that are assigned to the policy when IIS 7.0, IIS 7.5 or IIS 8.0 is installed.

Windows user rights that are assigned by local security policy

Allowed permissionsUsers / groups
Access this computer from the networkEveryone
Administrators
Users
Backup operators
Adjust memory quotas for a processLOCAL SERVICE
NETWORK SERVICE
Administrators
ApplicationPoolIdentity
Allow log on locallyAdministrators
Users
Backup operators
Bypass traverse checkingEveryone
LOCAL SERVICE
NETWORK SERVICE
Administrators
Users
Backup operators
Generate security audit detailsApplicationPoolIdentity
Impersonate a client after authenticationLOCAL SERVICE
NETWORK SERVICE
Administrators
IIS_IUSRS
SERVICE
Log on as a batch jobAdministrators
Backup operators
Performance log users
IIS_IUSRS
Log on as a serviceApplicationPoolIdentity
Replace a process level tokenLOCAL SERVICE
NETWORK SERVICE
ApplicationPoolIdentity
Properties

Article ID: 981949 - Last Review: 01/24/2013 20:06:00 - Revision: 3.0

Microsoft Internet Information Services 7.0, Microsoft Internet Information Services 7.5, Microsoft Internet Information Services 8.0

  • kbexpertiseinter kbtshoot kbsurveynew kbinfo KB981949
Feedback
lay:none;" onerror="var m=document.createElement('meta');m.name='ms.dqp0';m.content='true';document.getElementsByTagName('head')[0].appendChild(m);" onload="var m=document.createElement('meta');m.name='ms.dqp0';m.content='false';document.getElementsByTagName('head')[0].appendChild(m);" src="http://c1.microsoft.com/c.gif?">