Microsoft KB Archive/187506

= Required NTFS permissions and user rights for IIS 4.0 =

Article ID: 187506

Article Last Modified on 11/11/2005

-

APPLIES TO


 * Microsoft Internet Information Server 4.0

-



This article was previously published under Q187506



We strongly recommend that all users upgrade to Microsoft Internet Information Services (IIS) version 6.0 running on Microsoft Windows Server 2003. IIS 6.0 significantly increases Web infrastructure security. For more information about IIS security-related topics, visit the following Microsoft Web site:

http://www.microsoft.com/technet/security/prodtech/IIS.mspx





INTRODUCTION
This article lists the basic NTFS access permissions for an Internet Information Server (IIS) Web site or for a File Transfer Protocol (FTP) site to work. This article applies only to IIS 4.0.

For more information about IIS 5.0, click the following article number to view the article in the Microsoft Knowledge Base:

271071 How to set basic NTFS permissions for IIS 5.0

For more information about IIS 6.0, click the following article number to view the article in the Microsoft Knowledge Base:

812614 Default permissions and user rights for IIS 6.0

Note When you install IIS, it creates NTFS access permissions for the default Web site and for the default FTP site for the anonymous user account (IUSR_Computer_Name) and, if applicable, for the application owner user account (IWAM_Computer_Name).

If you try to gain access to a Web page that you do not have access permissions to, you may receive the following error message:

HTTP Error 401 401.3 Unauthorized: Unauthorized due to ACL on resource.



MORE INFORMATION
To access and manage IIS, the local System account and the local Administrators group must have Full Control permissions to all drives on the computer. These permissions can be added at a command prompt. Type the following commands on each NTFS drive that IIS uses for system files and for content: cd \ cacls * /T /E /C /P System:F Administrators:F Note Modifying permissions may take several minutes per drive, depending on the amount of data on that drive. If the drive has no files, you receive the following error message:

The System cannot find the file specified.

To configure the minimum required NTFS permissions for users who access IIS, grant the following directory permissions to the anonymous Internet user account. By default, this is the IUSR_computer_name account. Also, grant the following directory permissions to any other accounts or groups that have to have access to the Web server:   Directory                            Permissions Content                               READ (RX)

Winnt                                 READ (RX)

Winnt\System32                        READ (RX)

Winnt\System32\Inetsrv                READ (RX)

Program Files\Common Files            READ (RX) and all subdirectories

Content is defined as anything that the client can access by using the Web browser. This may include such things as Web pages, images, and files. By default, the content folder for the World Wide Web Publishing Service is \InetPub\Wwwroot, and the content folder for the FTP Service is \InetPub\Ftproot.

IIS requires both appropriate NTFS permissions and the appropriate user rights to access the Web server. The following table lists the authentication type and the corresponding user right that is required to use the specified authentication type:    Authentication type            Required user right ---           ---    Anonymous                      Log on locally - Password synchronization disabled Anonymous                     Access this computer from the network - Password synchronization enabled Basic - Clear Text            Log on locally NT Challenge Response         Access this computer from the network Digest - IIS 5.0 only         Access this computer from the network Integrated - IIS 5.0 only     Access this computer from the network For more information about how to determine the authentication types that can be used by different browsers depending on the environment, click the following article number to view the article in the Microsoft Knowledge Base:

229694 How to install and use the IIS security "What If" tool

For additional information, see the "Security" topic in the Windows NT 4.0 Option Pack documentation. To view this topic, locate Microsoft Internet Information Server, locate Server Administration, and then locate Security.

For additional information, see the "Security" topic in the Internet Information Services 5.0 documentation. To view this topic, locate Administration, locate Server Administration, and then locate Security.

For more information about troubleshooting permission issues with IIS, click the following article numbers to view the articles in the Microsoft Knowledge Base:

271071 How to set basic NTFS permissions for IIS 5.0

185874 How to troubleshoot permissions in Internet Information Server 4.0

313075 How to configure Web server permissions for Web content in IIS

120929 How the System Account is used in Windows

148437 Default NTFS permissions in Windows NT

155253 Improper NTFS permissions may result in IIS failure

265161 You receive an error message when you try locate an ASP database result page that was created in FrontPage

216828 Password synchronization/allow IIS to control password may cause problems

For more information about how to connect to a Microsoft Access .mdb file from Active Server Pages (ASP), click the following article number to view the article in the Microsoft Knowledge Base:

251254 "Disk or network error" or "Unspecified error" returned when using Jet

Additional query words: acl access control list manager domains IUSR_ IUSR_ IUSR_ IWAM_ IWAM_ IWAM_ folder folders directories akz

Keywords: kbhowto kbinfo KB187506

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.