Registrations are now open. Join us today!
There is still a lot of work to do on the wiki yet! More information about editing can be found here.
Already have an account?

Microsoft KB Archive/155253

From BetaArchive Wiki
Knowledge Base


Improper NTFS Permissions May Result in IIS Failure

Article ID: 155253

Article Last Modified on 6/23/2005



APPLIES TO

  • Microsoft Internet Information Server 1.0
  • Microsoft Internet Information Server 2.0
  • Microsoft Internet Information Server 3.0



This article was previously published under Q155253

We strongly recommend that all users upgrade to Microsoft Internet Information Services (IIS) version 6.0 running on Microsoft Windows Server 2003. IIS 6.0 significantly increases Web infrastructure security. For more information about IIS security-related topics, visit the following Microsoft Web site:

SUMMARY

Improper modification of Microsoft Windows NT file system (NTFS) permissions may create an environment where browser clients fail when attempting to access the Microsoft Internet Information Server (IIS) publication services.

MORE INFORMATION

Microsoft Windows NT version 4.0 installs on a new NTFS partition with change permission for the group Everyone. Improper NTFS access permissions involving other Windows NT accounts such as System, Network, Interactive, and IUSR_ComputerName may affect the operation of IIS. Most of these improperly defined permissions result in a browser client receiving an HTTP response of 401 Access Denied.

As an example, consider an IIS server that has been configured with only Allow Anonymous access in the in WWW Services tab of the Internet Service Manager. The web master has set the following permissions on his or her NTFS WWW publication directory wwwroot of:

   CREATOR OWNER                 Full Control
   ComputerName\Administrators   Full Control
   IUSR_ComputerName             Full Control
   Everyone                      No Access
   System                        Full Control
                


The web master calls Microsoft Product Support, describing an issue in which no one can access his or her IIS server from a WWW client browser. A sniffer trace shows that all of the client browsers receive a 401 Access Denied error message in the HTTP response.

The problem is the NTFS permissions. The Web master has allowed the IIS anonymous user account IUSR_ComputerName full access, but the web master has also explicitly denied the group Everyone. The IUSR_ComputerName account belongs to the group Everyone. An explicit deny always takes precedence over an allow, therefore no browser client can access the IIS server.

Before contacting Microsoft Product Support Services, customers are encouraged to check the NTFS permissions to verify that any modified access permission is not the cause of improper IIS functionality.

For more information on issues related to NTFS permission, please see the following articles in the Microsoft Knowledge Base:

109076 : Removing Permissions to an NTFS Partition May Prevent Startup

130016 : Removing Everyone On Root Dir. Leaves Limited Virtual Memory

137155 : Users Without System32 Permissions Cannot Log On

137400 : Changing Default Permissions Causes STOP 0xC000021A

138923 : Partitions Displaying as Unknown in Disk Administrator



Additional query words: prodiis

Keywords: kbhowto kbnetwork KB155253