Microsoft KB Archive/271071

= How to set required NTFS permissions and user rights for an IIS 5.0 Web server =

Article ID: 271071

Article Last Modified on 11/21/2006

-

APPLIES TO


 * Microsoft Internet Information Services 5.0

-



This article was previously published under Q271071





SUMMARY
This step-by-step article describes the minimum permissions that are required for a dedicated Internet Information Services (IIS) 5.0 Web server.

Warning This article is only valid for dedicated Web servers that use basic IIS functionality, such as serving HTML static content or simple Active Server Pages (ASP) content. The permission requirements that are described in this article are specific ONLY to the basic permissions for a dedicated Web server that is running Microsoft Windows 2000 and IIS 5.0. This article does not consider other Microsoft and third-party products that may require different permissions. We recommend that you review articles that are specific for the roles of your Web server and perform tests before you make permission changes on a production Web server. For links to related articles for other Microsoft products, see the &quot;References&quot; section.

If you apply these permissions to an IIS server that serves other roles, such as Microsoft Exchange Server 5.5, Microsoft Exchange Server 2000, or third-party applications that depend on additional permissions, these products may not operate as expected.

Note This article only applies to IIS 5.0. It does not apply to any other versions of IIS.

For more information about the required permissions for IIS 4.0, click the following article number to view the article in the Microsoft Knowledge Base:

187506 Required NTFS permissions and user rights for IIS 4.0

For more information about the required permissions for IIS 6.0, click the following article number to view the article in the Microsoft Knowledge Base:

812614 Default permissions and user rights for IIS 6.0

Testing for this document included the following functional tests:
 * Hypertext documents (HTML)
 * Active Server Pages (ASP)
 * FrontPage Server Extensions, such as connecting, editing, and saving, if FPSE is enabled while you use the Lockdown Tool
 * Secure Socket Layers (SSL) Connections

This document does not address any one of the specific security requirements of the following server roles or applications:
 * Windows 2000 Domain Controller
 * Microsoft Exchange 5.5 or Microsoft Exchange 2000 Outlook Web Access
 * Microsoft Small Business Server 2000
 * Microsoft SharePoint Portal or Team Services
 * Microsoft Commerce Server 2000 or Microsoft Commerce Server 2002
 * Microsoft BizTalk Server 2000 or Microsoft BizTalk Server 2002
 * Microsoft Content Management Server 2000 or Microsoft Content Management Server 2002
 * Microsoft Application Center 2000

Review server and application documentation for specific security requirements. Links to related Knowledge Base articles are provided in the &quot;References&quot; section.

Before you apply the permissions in this article, we recommend that you run the most current version of the IIS Lockdown Tool. For additional information about this tool, visit the following Microsoft Web site:

http://www.microsoft.com/technet/security/tools/locktool.mspx

The following programs and services were installed as part of the test suite that was used to test server security after granting the permissions outlined in this article:
 * Index Services
 * Terminal Services
 * Script Debugger
 * IIS
 * Common Files
 * Documentation
 * FrontPage Server Extensions 2000
 * Internet Services Manager (HTML)
 * WWW
 * FTP

Grant ownership and permission to the administrator and to the system
To assign permissions to the system:  Open Windows Explorer. To do this, click Start, click Programs, and then click Windows Explorer. Expand My Computer. Right-click the system drive (this is typically drive C), and then click Properties. Click the Security tab, and then click Advanced to open the Access Control Settings for Local Disk dialog box. Click the Owner tab, click to select the Replace Owner on Sub containers and Objects check box, and then click Apply.

If you receive the following error message, click Continue:

An error has occurred applying security information to %systemdrive%\Pagefile.sys

 If you receive the following error message, click Yes:

You do not have permission to read the contents of directory %systemdrive%\System Volume Information - Do you want to replace the directory permission - All permission will be replaced granting you Full Control

 Click OK to close the dialog box.</li> Click Add.</li> Add the following users, and then grant them the Full Control NTFS permission: <ul> Administrator</li> System</li> Creator Owner</li></ul> </li> After you have added these NTFS permissions, click Advanced, click to select the Reset permission on all child objects and enable propagation of inheritable permissions check box, and then click Apply.</li> If you receive the following error message, click Continue:

An error has occurred applying security information to %systemdrive%\Pagefile.sys

</li> After you have reset NTFS permissions, click OK.</li> Click the Everyone group, click Remove, and then click OK.</li> Open the properties for the %systemdrive%\Program Files\Common Files folder, and then click the Security tab. Add the account that is used for anonymous access. By default, this is the IUSR_<MachineName> account. Then, add the Users group. Make sure that only the following are selected: <ul> Read & Execute</li> List Folder Contents</li> Read</li></ul> </li> Open the properties for the root directory that holds your Web content. By default, this is the %systemdrive%\Inetpub\Wwwroot folder. Click the Security tab, add the IUSR_<MachineName> account and the Users group, and then make sure that only the following are selected: <ul> Read & Execute</li> <li>List Folder Contents</li> <li>Read</li></ul> </li> <li>If you want to grant Write NTFS permission for Inetpub\FTProot or the directory path for your FTP site or sites, repeat step 15.

Note We do not recommend that you grant NTFS Write permissions to the anonymous account in any directories, including directories used by the FTP service uses. This can cause unnecessary data to be uploaded to your Web server.</li></ol>

Disable inheritance in system directories
<ol> <li>In the %systemroot%\System32 folder, select all folders except the following: <ul> <li>Inetsrv</li> <li>Certsrv (if present)</li> <li>COM</li></ul> </li> <li>Right-click the remaining folders, click Properties, and then click the Security tab.</li> <li>Click to clear the Allow inheritable permissions check box, click Copy, and then click OK.</li> <li>In the %systemroot% folder, select all folders except the following: <ul> <li>Assembly (if present)</li> <li>Downloaded Program Files</li> <li>Help</li> <li>Microsoft.NET (if present)</li> <li>Offline Web Pages</li> <li>System32</li> <li>Tasks</li> <li>Temp</li> <li>Web</li></ul> </li> <li>Right-click the remaining folders, click Properties, and then click the Security tab.</li> <li>Click to clear the Allow inheritable permissions check box, click Copy, and then click OK.</li> <li>Apply permissions to the following: <ol style="list-style-type: lower-alpha;"> <li>Open the properties for the %systemroot% folder, click the Security tab, add the IUSR_<MachineName> and IWAM_<MachineName> accounts and the Users group, and then make sure that only the following are selected: <ul> <li>Read & Execute</li> <li>List Folder Contents</li> <li>Read</li></ul> </li> <li>Open the properties for the %systemroot%\Temp folder, select the IUSR_<MachineName> account (this account is already present because it inherits from the Winnt folder), and then click to select the Modify check box. Repeat this step for the IWAM_<MachineName> account and the Users group.</li> <li>If FrontPage Server Extension Clients such as FrontPage or Microsoft Visual InterDev are being used, open the properties for the %systemdrive%\Inetpub\Wwwroot folder, select the Authenticated Users group, select the following, and then click OK: <ul> <li>Modify</li> <li>Read & Execute</li> <li>List Folder Contents</li> <li>Read</li> <li>Write</li></ul> </li></ol> </li></ol>

<div class="summary_section">

NTFS permissions
The following table lists the permissions that will be applied when you follow the steps in the &quot;Disable inheritance in system directories&quot; section. This table is for reference only.

To apply the permissions in the following table:
 * 1) Open Windows Explorer. To do this, click Start, click Programs, click Accessories, and then click Windows Explorer.
 * 2) Expand My Computer.
 * 3) Right-click %systemroot%, and then click Properties.
 * 4) Click the Security tab, and then click Advanced.
 * 5) Double-click Permission, and then select the appropriate setting from the Apply Onto list.

Note In the “Apply To” column, the term Default refers to “This folder, subfolders, and files.”


 * If you are using FrontPage Server Extensions, the Authenticated Users or the Users group must have the Change NTFS permission to create, to rename, to write, or to provide the functionality that a developer might have to have from a FrontPage-type of client, such as Visual InterDev 6.0 or FrontPage 2002.

Grant permissions in the registry

 * 1) Click Start, click Run, type regedt32, and then click OK. Do not use Registry Editor because it does not let you change permissions in Windows 2000.
 * 2) In Registry Editor, locate and select HKEY_LOCAL_MACHINE.
 * 3) Expand System, expand CurrentControlSet, and then expand Services.
 * 4) Select the IISADMIN key, click Security (or press ALT+S), and then select Permissions (or press P).
 * 5) Click to clear the Allow inheritable permissions from parent to propagate to this object check box, click Copy, and then remove all users except:
 * 6) * Administrators (Allow Read and Full Control)
 * 7) * System (Allow Read and Full Control)
 * 8) Click OK.
 * 9) Repeat the steps for the MSFTPSVC key.
 * 10) Select the W3SVC key, click Security, and then click Permissions.
 * 11) Click to clear the Allow inheritable permissions from parent to propagate to this object check box, and then remove all entries except:
 * 12) * Administrators (Allow Read and Full Control)
 * 13) * System (Allow Read and Full Control)
 * 14) * Network (Read)
 * 15) * Service (Read)
 * 16) * IWAM_<MachineName> (Read)
 * 17) Click OK.

Registry
The following table lists the permissions that will be applied when you follow the steps in the &quot;Grant permissions in the registry&quot; section. This table is for reference only.

Note The acronym HKLM stands for HKEY_LOCAL_MACHINE.

Grant rights in the Local Security Policy
<ol> <li>Click Start, click Settings, and then click Control Panel.</li> <li>Double-click Administrative Tools, and then double-click Local Security Policy.</li> <li>In the Local Security Settings dialog box, expand Local Policies, and then click User Rights Assignment.</li> <li>Modify the appropriate policy: <ol style="list-style-type: lower-alpha;"> <li>Double-click the policy.</li> <li>Select and then click Remove for any user who is not listed in the table.</li> <li>Add any user who is not listed. To do this, click Add, and then select the user in the Select Users or Groups dialog box.</li></ol> </li></ol>

Note that because a domain controller policy overrides the local policy, you must make sure that Effective Policy Setting matches Local Policy Setting.

Policies
The following table lists the permissions that will be applied when you follow the steps in the &quot;Grant rights in the Local Security Policy&quot; section.

Required services
For more information about the services that you must have for IIS 4.0, click the following article number to view the article in the Microsoft Knowledge Base:

189271 List of services that are needed to run a security-enhanced IIS computer

<div class="references_section">