Default permissions and user rights for IIS 6.0 (812614)
The information in this article applies to:
- Microsoft Internet Information Services version 6.0
INTRODUCTION This article describes the default
permissions and the user rights on a newly installed application server that has Internet Information Services (IIS) 6.0 installed.MORE INFORMATIONThe following tables document the NTFS file system permissions, registry
permissions, and Microsoft Windows user rights. This information applies if Microsoft ASP.NET is included as part of the installation suite. This article focuses on the World Wide Web Publishing
Service and does not consider other components, such as the File Transfer Protocol (FTP) service, the Simple Mail Transfer Protocol (SMTP) service, and Microsoft FrontPage
Server Extensions (FPSE). Note For the purposes of this document, the IUSR_MachineName account is used interchangeably with a configured
anonymous account. NTFS permissions| Directory | Users\Groups | Permissions | | %windir%\help\iishelp\common | Administrators | Full
control | | %windir%\help\iishelp\common | System | Full control | | %windir%\help\iishelp\common | IIS_WPG | Read, execute | | %windir%\help\iishelp\common | Users (See Note 1.) | Read, execute | | %windir%\IIS Temporary Compressed
Files | Administrators | Full control | | %windir%\IIS Temporary Compressed
Files | System | Full control | | %windir%\IIS Temporary Compressed
Files | IIS_WPG | Full control | | %windir%\IIS Temporary Compressed
Files | Creator owner | Full control | | %windir%\system32\inetsrv | Administrators | Full
control | | %windir%\system32\inetsrv | System | Full control | | %windir%\system32\inetsrv | Users | Read, execute | | %windir%\system32\inetsrv\*.vbs | Administrators | Full
control | | %windir%\system32\inetsrv\ASP compiled
templates | Administrators | Full control | | %windir%\system32\inetsrv\ASP compiled
templates | IIS_WPG | Full control | | %windir%\system32\inetsrv\History | Administrators | Full
control | | %windir%\system32\inetsrv\History | System | Full control | | %windir%\system32\Logfiles | Administrators | Full
control | | %windir%\system32\inetsrv\metaback | Administrators | Full
control | | %windir%\system32\inetsrv\metaback | System | Full control | | Inetpub\Adminscripts | Administrators | Full
control | | Inetpub\wwwroot (or content
directories) | Administrators | Full control | | Inetpub\wwwroot (or content
directories) | System | Full control | | Inetpub\wwwroot (or content
directories) | IIS_WPG | Read, execute | | Inetpub\wwwroot (or content
directories) | IUSR_MachineName | Read, execute | | Inetpub\wwwroot (or content
directories) | ASPNET (See Note 2.) | Read, execute |
Note 1 You must have permissions to this directory when you use
Basic authentication or Integrated authentication and when custom errors are configured. For example, when error 401.1 occurs, the logged-on user sees the expected detailed custom error only if permissions to read the 4011.htm file have been granted to that user. Note 2 By default, ASP.NET is used as the
ASP.NET process identity in IIS 5.0 isolation mode. If ASP.NET is switched to IIS 5.0 isolation
mode, ASP.NET must have access to the content areas. ASP.NET process isolation
is detailed in IIS Help. For additional information, visit the following Microsoft Web site: ASP.NET process isolation Registry permissions| Location | Users\Groups | Permissions | | HKLM\System\CurrentControlSet\Services\ASP | Administrators | Full
control | | HKLM\System\CurrentControlSet\Services\ASP | System | Full control | | HKLM\System\CurrentControlSet\Services\ASP | IIS_WPG | Read | | HKLM\System\CurrentControlSet\Services\HTTP | Administrators | Full
control | | HKLM\System\CurrentControlSet\Services\HTTP | System | Full control | | HKLM\System\CurrentControlSet\Services\HTTP | IIS_WPG | Read | | HKLM\System\CurrentControlSet\Services\IISAdmin | Administrators | Full
control | | HKLM\System\CurrentControlSet\Services\IISAdmin | System | Full control | | HKLM\System\CurrentControlSet\Services\IISAdmin | IIS_WPG | Read | | HKLM\System\CurrentControlSet\Services\w3svc | Administrators | Full
control | | HKLM\System\CurrentControlSet\Services\w3svc | System | Full control | | HKLM\System\CurrentControlSet\Services\w3svc | IIS_WPG | Read |
Windows user rights| Policy | Users | | Access this computer from the
network | Administrators | | Access this computer from the
network | ASPNET | | Access this computer from the
network | IUSR_MachineName | | Access this computer from the
network | IWAM_MachineName | | Access this computer from the
network | Users | | Adjust memory quotas for a
process | Administrators | | Adjust memory quotas for a
process | IWAM_MachineName | | Adjust memory quotas for a
process | Local service | | Adjust memory quotas for a
process | Network service | | Bypass traverse checking | IIS_WPG | | Allow log on locally (see Note) | Administrators | | Allow log on locally (see Note) | IUSR_MachineName | | Deny logon locally | ASPNET | | Impersonate a client after
authentication | Administrators | | Impersonate a client after
authentication | ASPNET | | Impersonate a client after
authentication | IIS_WPG | | Impersonate a client after
authentication | Service | | Log on as a batch job | ASPNET | | Log on as a batch job | IIS_WPG | | Log on as a batch job | IUSR_MachineName | | Log on as a batch job | IWAM_MachineName | | Log on as a batch job | Local service | | Logon as a service | ASPNET | | Logon as a service | Network service | | Replace a process level token | IWAM_MachineName | | Replace a process level token | Local service | | Replace a process level token | Network service |
Note In a new default installation of Microsoft Windows Server 2003 with IIS 6.0, the Users group and the Everyone group have Bypass traverse checking permissions. The worker process identity inherits Bypass traverse checking permissions through one of these groups. If both groups are removed from Bypass traverse checking permissions, and the worker process identity does not inherit Bypass traverse checking permissions through any other assignment, the worker process does not start. If the Users group and the Everyone group must be removed from the Bypass traverse checking permissions, add the IIS_WPG group to permit IIS to function as expected. Note In IIS 6.0, when Basic authentication is configured as one of the authentication options, the LogonMethod metabase property for Basic authentication is NETWORK_CLEARTEXT. The NETWORK_CLEARTEXT logon type does not require the Allow log on locally user right. This also applies to
Anonymous authentication. For additional information, see the "Basic Authentication
Default Logon Type" topic in IIS Help. You can also visit the following Microsoft Web site: Basic authentication REFERENCESFor more information about how to implement and manage IIS security, visit the following Microsoft Web sites: Windows Server 2003 Security Guide TechNet Security how-to resources Improving Web application security: threats and countermeasures
| Modification Type: | Minor | Last Reviewed: | 7/3/2006 |
|---|
| Keywords: | kbhowto kbinfo KB812614 kbAudDeveloper |
|---|
|