How to set secure NTFS permissions on IIS 5.0 log files and virtual directories in Windows 2000 (310361)


The information in this article applies to:

  • Microsoft Windows 2000 Server SP1
  • Microsoft Windows 2000 Server SP2
  • Microsoft Windows 2000 Advanced Server SP1
  • Microsoft Windows 2000 Advanced Server SP2
This article was previously published under Q310361
We strongly recommend that all users upgrade to Microsoft Internet Information Services (IIS) version 6.0 running on Microsoft Windows Server 2003. All the default security-related configuration settings in IIS 6.0 meet or exceed the security-related configuration settings that are made by the IIS Lockdown Tool. Therefore, you do not have to run this tool on Web servers that are running IIS 6.0. However, if you are upgrading from an earlier version of IIS, you should run the IIS Lockdown Tool before you upgrade. By taking this action, you enhance the security of the Web server.

For more information about IIS security-related topics, visit the following Microsoft Web site:

http://www.microsoft.com/technet/security/prodtech/IIS.mspx

IN THIS TASK

SUMMARY

This step-by-step article describes how to place NTFS permissions on IIS 5.0 log files and virtual directories. Computers that are directly connected to the Internet are under a constant threat of attack. Any computer that is connected to the Internet must be protected to prevent malicious users from taking control of the computer. Because Web servers are the most common server type to be attacked by malicious users, these computers require extra attention.

One of the most powerful security tools that is available on Windows 2000-based computers is the NTFS file system. You can use the NTFS file system to apply access controls on Web server files that are most likely to be attacked. You can apply Access Control Lists (ACLs) to files and folders in the IIS 5.0 Web server hierarchy to help prevent unauthorized users from taking control of your computer.

There are two general groups of IIS 5.0 related files and folders that benefit from secure ACLs:
  • IIS Virtual Directories
  • IIS Log File Directories

back to the top

Setting ACLs on Virtual Directories

  1. Arrange files types into dedicated directories. You should create directories in the Inetpub\wwwroot\virtual_server hierarchy for the following file types:

    Executable files (.bat, .cmd, .pl, .exe)
    Script files (.asp)
    Include files (.inc, .shtm, .shtm)
    Static content (.jpg, .gif, .htm, .html)

  2. For the Executable, Script, and Include file folders, assign the following permissions:

    Everyone (X)
    Administrators (Full Control)
    System (Full Control)

  3. For the Static content folders, assign the following permissions:

    Everyone (R)
    Administrators (Full Control)
    System (Full Control)

  4. The Inetpub\FTProot and the Inetpub\Mailroot directories typically require anonymous access for read and write. If this is the case in your environment, put these folders on a different disk, and set disk quotas for the Everyone group. This will prevent a denial of service attack from filling up your boot partition, and you will receive a warning when a disk quota is being reached.

back to the top

Setting ACLs on Log Files


IIS 5.0 log files are located in the \system_root\system32\LogFiles folder. It is important that these log files remain intact and not be altered so that intruders are not able to "hide their tracks" after an intruder tries to compromise the server. ACLs on the IIS services logs should be set as:

Administrators (Full Control)
System (Full Control)

back to the top

Troubleshooting

  • By taking advantage of NTFS permissions, you can reduce the chance of Internet intruders from changing key system files that can lead to a compromised Web server.

back to the top
Modification Type:MajorLast Reviewed:6/9/2006
Keywords:kbhowto kbHOWTOmaster kbnetwork KB310361 kbAudITPro
©2004 Microsoft Corporation. All rights reserved.