Microsoft KB Archive/323062

= ACLs cannot be read after you apply the IIS Lockdown Tool =

Article ID: 323062

Article Last Modified on 6/28/2006

-

APPLIES TO


 * Microsoft Internet Information Server 4.0, when used with:
 * Microsoft Windows NT Server 4.0 Standard Edition

-



This article was previously published under Q323062



We strongly recommend that all users upgrade to Microsoft Internet Information Services (IIS) version 6.0 running on Microsoft Windows Server 2003. IIS 6.0 significantly increases Web infrastructure security. For more information about IIS security-related topics, visit the following Microsoft Web site:

http://www.microsoft.com/technet/security/prodtech/IIS.mspx

All the default security-related configuration settings in IIS 6.0 meet or exceed the security configuration settings that the IIS Lockdown Tool makes. Therefore, you do not have to run this tool on Web servers that are running IIS 6.0. However, if you are upgrading from an earlier version of IIS, you should run the IIS Lockdown Tool before the upgrade to enhance the security of your Web server.



SYMPTOMS
When you install the IIS Lockdown Tool on a server that is running Internet Information Server (IIS) 4.0, and you set file permissions to prevent the IIS anonymous user account from executing system utilities or from writing to Web content directories, users may not be able to view permissions and Access Control Lists (ACLs) on certain files from Microsoft Windows Explorer. If a user tries to view the ACLs on an affected file or directory from the Microsoft Windows NT 4.0 computer, the user may receive the following error message:

The security information for  is not standard and cannot be displayed. Windows NT 3.x and 4.x support certain features such as Deny Access Control Entries but cannot edit security information which uses these features. The information may have been modified by a computer running Windows NT 5.0, which supports these features and can edit information which uses them.

Do you want to overwrite the current security information?

The user can then click either Yes or No. If the user clicks Yes, the ACLs are reset. If the user clicks No, no ACLs are changed, and the user cannot view or modify the ACLs.



CAUSE
The IIS Lockdown Tool writes attributes that are only available in Microsoft Windows 2000 and later to the directory. These attributes are not available in Windows NT 4.0 and therefore cannot be viewed or modified.



RESOLUTION
To work around this issue, use one of the following methods:
 * Connect to the computer by using Windows 2000 or later, and then view or modify the ACLs from Windows Explorer.
 * Use the Cacls.exe command-line tool to view or modify attributes on files or directories.



STATUS
Microsoft has confirmed that this is a bug in the Microsoft products that are listed in the &quot;Applies to&quot; section.

Keywords: kbbug kbprb KB323062

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.