How to set minimum NTFS permissions and user rights for IIS 5.x or IIS 6.0 (2024)

Table of Contents
The limitation for this article Testing steps before the permissions configurations in a production environment Grant ownership and permission to the administrator and to the system Disable inheritance in system directories NTFS permissions Grant permissions in the registry Registry Grant rights in the Local Security Policy Policies References More Information FAQs

This article describes how to set the minimum permissions that are required for a dedicated Internet Information Services (IIS) 5.0, IIS 5.1, or IIS 6.0 Web server.

The limitation for this article

Warning This article is only valid for dedicated Web servers that use basic IIS functionality, such as serving HTML static content or simple Active Server Pages (ASP) content. The permission requirements that are described in this article are specific only to the basic permissions for a dedicated Web server that is running IIS 5.x or IIS 6.0. This article does not consider other Microsoft and third-party products that may require different permissions. You can review server and application documentation for specific security requirements. We recommend that you review the related articles that are specific for the roles of your Web server.

Testing steps before the permissions configurations in a production environment

Before you make permission changes on a production Web server, we recommend that you do the following steps:

  1. Run the most current version of the IIS Lockdown Tool. The following programs and services were installed as part of the test suite that was used to test server security after granting the permissions outlined in this article:

    • Index Services

    • Terminal Services

    • Script Debugger

    • IIS

      • Common Files

      • Documentation

      • FrontPage Server Extensions 2000

      • Internet Services Manager (HTML)

      • WWW

      • FTP

  2. Perform the following functional tests:

    • Hypertext documents (HTML)

    • Active Server Pages (ASP)

    • FrontPage Server Extensions, such as connecting, editing, and saving, if FPSE is enabled while you use the Lockdown Tool

    • Secure Socket Layers (SSL) Connections

Grant ownership and permission to the administrator and to the system

To do this, follow these steps:

  1. Open Windows Explorer. To do this, clickStart, click Programs, and then click
    Windows Explorer.

  2. Expand My Computer.

  3. Right-click the system drive (this is typically drive C), and then click Properties.

  4. Click the Security tab, and then clickAdvanced to open the Access Control Settings for Local Disk dialog box.

  5. Click the Owner tab, click to select theReplace Owner on Sub containers and Objects check box, and then click Apply.

    If you receive the following error message, click Continue:

    An error has occurred applying security information to %systemdrive%\Pagefile.sys

  6. If you receive the following error message, clickYes:

    You do not have permission to read the contents of directory %systemdrive%\System Volume Information - Do you want to replace the directory permission - All permission will be replaced granting you Full Control

  7. Click OK to close the dialog box.

  8. Click Add.

  9. Add the following users, and then grant them the Full Control NTFS permission:

  10. After you have added these NTFS permissions, clickAdvanced, click to select the Reset permission on all child objects and enable propagation of inheritable permissions check box, and then click Apply.

  11. If you receive the following error message, clickContinue:

    An error has occurred applying security information to %systemdrive%\Pagefile.sys

  12. After you have reset NTFS permissions, clickOK.

  13. Click the Everyone group, clickRemove, and then click OK.

  14. Open the properties for the %systemdrive%\Program Files\Common Files folder, and then click the Security tab. Add the account that is used for anonymous access. By default, this is the IUSR_<MachineName> account. Then, add the Users group. Make sure that only the following are selected:

    • Read & Execute

    • List Folder Contents

    • Read

  15. Open the properties for the root directory that holds your Web content. By default, this is the %systemdrive%\Inetpub\Wwwroot folder. Click the Security tab, add the IUSR_<MachineName> account and the Users group, and then make sure that only the following are selected:

    • Read & Execute

    • List Folder Contents

    • Read

  16. If you want to grant Write NTFS permission for Inetpub\FTProot or the directory path for your FTP site or sites, repeat step 15.

    Note We do not recommend that you grant NTFS Write permissions to the anonymous account in any directories, including directories used by the FTP service uses. This can cause unnecessary data to be uploaded to your Web server.

Disable inheritance in system directories

To do this, follow these steps:

  1. In the %systemroot%\System32 folder, select all folders except the following:

    • Inetsrv

    • Certsrv (if present)

    • COM

  2. Right-click the remaining folders, clickProperties, and then click the Securitytab.

  3. Click to clear the Allow inheritable permissions check box, click Copy, and then clickOK.

  4. In the %systemroot% folder, select all folders except the following:

  5. Right-click the remaining folders, clickProperties, and then click the Securitytab.

  6. Click to clear the Allow inheritable permissions check box, click Copy, and then clickOK.

  7. Apply permissions to the following:

    1. Open the properties for the %systemroot% folder, click the Security tab, add theIUSR_<MachineName> andIWAM_<MachineName> accounts and theUsers group, and then make sure that only the following are selected:

      • Read & Execute

      • List Folder Contents

      • Read

    2. Open the properties for the %systemroot%\Temp folder, select the IUSR_<MachineName> account (this account is already present because it inherits from the Winnt folder), and then click to select the Modify check box. Repeat this step for theIWAM_<MachineName> account and the
      Users group.

    3. If FrontPage Server Extension Clients such as FrontPage or Microsoft Visual InterDev are being used, open the properties for the %systemdrive%\Inetpub\Wwwroot folder, select the Authenticated Users group, select the following, and then click OK:

      • Modify

      • Read & Execute

      • List Folder Contents

      • Read

      • Write

NTFS permissions

The following table lists the permissions that will be applied when you follow the steps in the "Disable inheritance in system directories" section. This table is for reference only.

To apply the permissions in the following table, follow these steps:

  1. Open Windows Explorer. To do this, clickStart, click Programs, clickAccessories, and then click Windows Explorer.

  2. Expand My Computer.

  3. Right-click %systemroot%, and then clickProperties.

  4. Click the Security tab, and then clickAdvanced.

  5. Double-click Permission, and then select the appropriate setting from the Apply Onto list.

NoteIn the "Apply To" column, the term Default refers to "This folder, subfolders, and files."

Directory

Users\Groups

Permissions

Apply To

%systemroot%\ (c:\winnt)

Administrator

Full Control

Default

System

Full Control

Default

Users

Read, execute

Default

%systemroot%\system32

Administrators

Full Control

Default

System

Full Control

Default

Users

Read, execute

Default

%systemroot%\system32\inetsrv

Administrators

Full Control

Default

System

Full Control

Default

Users

Read, execute

Default

Inetpub\adminscripts

Administrators

Full Control

Default

Inetpub\urlscan (if present)

Administrators

Full Control

Default

System

Full Control

Default

%systemroot%\system32\inetsrv\metaback

Administrators

Full Control

Default

System

Full Control

Default

%systemroot%\help\iishelp\common

Administrators

Full Control

This folder and files

System

Full Control

This folder and files

IWAM_<Machinename>

Read, execute

This folder and files

Network

Full Control

This folder and files

Service

This folder and files

Users

Read, execute

This folder and files

Inetpub\wwwroot (or content directories)

Administrators

Full Control

This folder and files

System

Full Control

This folder and files

IWAM_<MachineName>

Read, execute

This folder and files

Service

Read, execute

This folder and files

Network

Read, execute

This folder and files

Optional**:

Users

Read, execute

This folder and files


Note If you are using FrontPage Server Extensions, the Authenticated Users or the Users group must have the Change NTFS permission to create, to rename, to write, or to provide the functionality that a developer might have to have from a FrontPage-type of client, such as Visual InterDev 6.0 or FrontPage 2002.

Grant permissions in the registry

  1. Click Start, click Run, type regedt32, and then click OK. Do not use Registry Editor because it does not let you change permissions in Windows 2000.

  2. In Registry Editor, locate and selectHKEY_LOCAL_MACHINE.

  3. Expand System, expandCurrentControlSet, and then expandServices.

  4. Select the IISADMIN key, clickSecurity (or press ALT+S), and then select
    Permissions (or press P).

  5. Click to clear the Allow inheritable permissions from parent to propagate to this object check box, clickCopy, and then remove all users except:

    • Administrators (Allow Read and Full Control)

    • System (Allow Read and Full Control)

  6. Click OK.

  7. Repeat the steps for the MSFTPSVCkey.

  8. Select the W3SVC key, clickSecurity, and then click Permissions.

  9. Click to clear the Allow inheritable permissions from parent to propagate to this object check box, and then remove all entries except:

    • Administrators (Allow Read and Full Control)

    • System (Allow Read and Full Control)

    • Network (Read)

    • Service (Read)

    • IWAM_<MachineName> (Read)

  10. Click OK.

Registry

The following table lists the permissions that will be applied when you follow the steps in the "Grant permissions in the registry" section. This table is for reference only.

Note The acronym HKLM stands for HKEY_LOCAL_MACHINE.

Location

Users\Groups

Permissions

HKLM\System\CurrentControlSet\Services\IISAdmin

Administrators

Full Control

System

Full Control

HKLM\System\CurrentControlSet\Services\MsFtpSvc

Administrators

Full Control

System

Full Control

HKLM\System\CurrentControlSet\Services\w3svc

Administrators

Full Control

System

Full Control

IWAM_<MachineName>

Read

Grant rights in the Local Security Policy

  1. Click Start, clickSettings, and then click Control Panel.

  2. Double-click Administrative Tools, and then double-click Local Security Policy.

  3. In the Local Security Settings dialog box, expand Local Policies, and then click User Rights Assignment.

  4. Modify the appropriate policy:

    1. Double-click the policy.

    2. Select and then click Remove for any user who is not listed in the table.

    3. Add any user who is not listed. To do this, click
      Add, and then select the user in the Select Users or Groups dialog box.

Note that because a domain controller policy overrides the local policy, you must make sure that Effective Policy Setting matches Local Policy Setting.

Policies

The following table lists the permissions that will be applied when you follow the steps in the "Grant rights in the Local Security Policy" section.

Policy

Users

Log on Locally

Administrators

IUSR_<MachineName> (Anonymous)

Users (authentication required)

Access this computer from the Network

Administrators

ASPNet (.NET Framework)

IUSR_<MachineName> (Anonymous)

IWAM_<MachineName>

Users

Log on as a Batch Job

ASPNet

Network

IUSR_<MachineName>

IWAM_<MachineName>

Service

Logon as a Service

ASPNet

Network

Bypass Traverse Checking

Administrators

IUSR_<MachineName> (Anonymous)

Users (Basic, Integrated, Digest)

IWAM_<MachineName>

References

For more information about how to restore default NTFS permissions for Windows 2000, click the following article numbers to view the articles in the Microsoft Knowledge Base:

266118 How to restore the default NTFS permissions for Windows 2000

260985 Minimum NTFS permissions required to use CDONTS

324068 How to set IIS permissions for specific objects

815153 How to configure NTFS file permissions for security of ASP.NET applicationsFor more information about the required permissions for IIS 6.0, click the following article number to view the article in the Microsoft Knowledge Base:

812614 Default permissions and user rights for IIS 6.0

More Information

This article does not address any one of the specific security requirements of the following server roles or applications:

  • Windows 2000 Domain Controller

  • Microsoft Exchange 5.5 or Microsoft Exchange 2000 Outlook Web Access

  • Microsoft Small Business Server 2000

  • Microsoft SharePoint Portal or Team Services

  • Microsoft Commerce Server 2000 or Microsoft Commerce Server 2002

  • Microsoft BizTalk Server 2000 or Microsoft BizTalk Server 2002

  • Microsoft Content Management Server 2000 or Microsoft Content Management Server 2002

  • Microsoft Application Center 2000

  • The third-party applications that depend on additional permissions

How to set minimum NTFS permissions and user rights for IIS 5.x or IIS 6.0 (2024)

FAQs

How to set required NTFS permissions and user rights for an IIS 5.0 web server? ›

NTFS permissions
  1. Open Windows Explorer. ...
  2. Expand My Computer.
  3. Right-click %systemroot%, and then click Properties.
  4. Click the Security tab, and then click Advanced.
  5. Double-click Permission, and then select the appropriate setting from the Apply Onto list.

Read On
How to set permissions in IIS? ›

Step by step instructions
  1. Right click on the directory that you want to change the permissions. ...
  2. The directory Properties dialog is displayed.
  3. Select the Security tab.
  4. Click Edit…. ...
  5. Click Add…. ...
  6. Type the IIS users group name IIS_IUSRS into the edit field then click Check Names. ...
  7. Click OK to accept this user group name.
Apr 12, 2023

Discover More Details
What are the minimum NTFS permissions required to allow users to change the document content stored in a shared folder? ›

Full Control: Enables users to “read,” “change,” as well as edit permissions and take ownership of files. Change: Change means that user can read/execute/write/delete folders/files within share. Read: Read allows users to view the folder's contents.

Continue Reading
Which NTFS permission should you assign to User1? ›

You need to provide a user named User1 with the ability to modify the permissions of Folder1. The solution must use the principle of least privilege. Which NTFS permission should you assign to User1? The NTFS Full control permission is required to change permissions.

See Details
How do I force change NTFS permissions? ›

To reset NTFS Permissions in Windows 10, do the following. Open an elevated command prompt. Run the following command to reset permissions for a file: icacls "full path to your file" /reset. To reset permissions for a folder: icacls "full path to the folder" /reset.

Find Out More
How do I assign permissions? ›

Setting Permissions
  1. Access the Properties dialog box.
  2. Select the Security tab. ...
  3. Click Edit.
  4. In the Group or user name section, select the user(s) you wish to set permissions for.
  5. In the Permissions section, use the checkboxes to select the appropriate permission level.
  6. Click Apply.
  7. Click Okay.
Aug 16, 2024

Tell Me More
Which NTFS permission is needed to change attributes and permissions? ›

Write Attributes

Allows or denies changing the attributes of a file or folder, for example, "read-only" or "hidden". The Write Attributes permission does not imply creating or deleting files or folders, it only includes the permission to make changes to the attributes of an existing file or folder.

Show Me More
What are the standard NTFS permissions? ›

NTFS permissions list
PermissionWhat it controls
Full ControlRead, write, execute, delete, and modify file or folder content and permissions.
ModifyRead, write, execute, and delete file or folder content. Permissions can't be modified.
Read & ExecuteView file or folder content, execute scripts and programs.
4 more rows

Explore More
How to set IIS user? ›

In the Connections pane, click the server name. In the server's Home pane, double-click IIS Manager Users. On the IIS Manager Users page, click Add User... in the Actions pane. In the Add User dialog box, enter the user name and password, and then click OK.

Continue Reading
How do I restrict access to IP in IIS 6? ›

1 Answer
  • Open IIS MMC.
  • Navigate to file in the website in question.
  • Right click on the file and select 'Properties'
  • Select the 'File Security' tab.
  • In the 'IP address and domain restrictions' pane, click Edit.
  • Set the default restriction to deny access (click the Denied Access radio button)
May 21, 2010

Show Me More

How to configure IIS settings? ›

To enable IIS in Windows versions with the Start menu:
  1. Click the Start menu > Administrative Tools > Server Manager.
  2. Click Add Roles.
  3. In the Add Roles wizard, select Web Server (IIS), then click Next.
  4. Choose the IIS role services to install. Click Next to accept the defaults.
  5. Add any role services as required.

Read The Full Story
How to configure NTFS permissions? ›

Right-click the file or folder to modify and select Properties. On the Security tab and click Edit. In the Permissions window, Click Add. Click Locations and select the appropriate domain.

See Details
Which Windows command is used to set NTFS permissions? ›

Use icacls command line utility to assign NTFS permissions. This command assigns NTFS permissions for "IIS APPPOOL\DefaultAppPool" identity to the "Path\To\Folder" folder or file.

Get More Info Here
Which permissions should not be assigned using NTFS? ›

Avoid giving users the Full Control permission. Full Control enables users to change NTFS permissions, which average users should not need to do. Modify rights should be all that's necessary for most users. Assign the most restrictive permissions that still allow users to perform their jobs.

Continue Reading
How to configure web server permissions for web content in IIS? ›

Introduction
  1. First of all open the Administrative Tools from the Start Menu. ...
  2. Now the IIS Manager Wizard will be opened, here on the left-hand side the Connections Pane will be available, and the Connection Pane will show your Server Name. ...
  3. Now right-click on the Website and choose "Edit Permissions".
Mar 19, 2024

View More
Which specific NTFS permissions are considered basic permissions? ›

The basic permissions are:
  • Full Control: Users can read, modify, add, move, and delete files, as well as their associated properties and directories. ...
  • Modify: Users can view and modify files and file properties, including deleting and adding files to a directory or file properties to a file.

View Details
Top Articles
Awarding Interest on Interest: A three Judge Bench of the Supreme Court Upholds the Law
7 Best Places to Live in Arkansas in 2024
Canya 7 Drawer Dresser
Victory Road Radical Red
The Largest Banks - ​​How to Transfer Money With Only Card Number and CVV (2024)
Nfr Daysheet
Craigslist Parsippany Nj Rooms For Rent
Ribbit Woodbine
Imbigswoo
Thotsbook Com
Obsidian Guard's Cutlass
Craigslist Pinellas County Rentals
I Saysopensesame
Long Island Jobs Craigslist
Espn Horse Racing Results
Team C Lakewood
Air Traffic Control Coolmathgames
Dulce
Xfinity Outage Map Fredericksburg Va
All Obituaries | Gateway-Forest Lawn Funeral Home | Lake City FL funeral home and cremation Lake City FL funeral home and cremation
Talkstreamlive
Zillow Group Stock Price | ZG Stock Quote, News, and History | Markets Insider
Obituaries Milwaukee Journal Sentinel
Impact-Messung für bessere Ergebnisse « impact investing magazin
Speedstepper
Culver's.comsummerofsmiles
Ou Football Brainiacs
2015 Kia Soul Serpentine Belt Diagram
Black Panther 2 Showtimes Near Epic Theatres Of Palm Coast
Afni Collections
Craftybase Coupon
Log in to your MyChart account
Uncovering the Enigmatic Trish Stratus: From Net Worth to Personal Life
Dubois County Barter Page
Poster & 1600 Autocollants créatifs | Activité facile et ludique | Poppik Stickers
Orangetheory Northville Michigan
Kelsey Mcewen Photos
Fototour verlassener Fliegerhorst Schönwald [Lost Place Brandenburg]
1v1.LOL Game [Unblocked] | Play Online
Garland County Mugshots Today
✨ Flysheet for Alpha Wall Tent, Guy Ropes, D-Ring, Metal Runner & Stakes Included for Hunting, Family Camping & Outdoor Activities (12'x14', PE) — 🛍️ The Retail Market
Yourcuteelena
Best Suv In 2010
Sea Guini Dress Code
What is a lifetime maximum benefit? | healthinsurance.org
The Cutest Photos of Enrique Iglesias and Anna Kournikova with Their Three Kids
Bellelement.com Review: Real Store or A Scam? Read This
Heat Wave and Summer Temperature Data for Oklahoma City, Oklahoma
Deshuesadero El Pulpo
BYU Football: Instant Observations From Blowout Win At Wyoming
Latest Posts
New California rule aims to limit health care cost increases to 3% annually
Communicating During Conflict | Inner Melbourne Psychology
Article information

Author: Allyn Kozey

Last Updated:

Views: 6175

Rating: 4.2 / 5 (43 voted)

Reviews: 82% of readers found this page helpful

Author information

Name: Allyn Kozey

Birthday: 1993-12-21

Address: Suite 454 40343 Larson Union, Port Melia, TX 16164

Phone: +2456904400762

Job: Investor Administrator

Hobby: Sketching, Puzzles, Pet, Mountaineering, Skydiving, Dowsing, Sports

Introduction: My name is Allyn Kozey, I am a outstanding, colorful, adventurous, encouraging, zealous, tender, helpful person who loves writing and wants to share my knowledge and understanding with you.