Registrations are now open. Join us today!
There is still a lot of work to do on the wiki yet! More information about editing can be found here.
Already have an account?

Microsoft KB Archive/187506

From BetaArchive Wiki
Knowledge Base


Required NTFS permissions and user rights for IIS 4.0

Article ID: 187506

Article Last Modified on 11/11/2005



APPLIES TO

  • Microsoft Internet Information Server 4.0



This article was previously published under Q187506

We strongly recommend that all users upgrade to Microsoft Internet Information Services (IIS) version 6.0 running on Microsoft Windows Server 2003. IIS 6.0 significantly increases Web infrastructure security. For more information about IIS security-related topics, visit the following Microsoft Web site:


INTRODUCTION

This article lists the basic NTFS access permissions for an Internet Information Server (IIS) Web site or for a File Transfer Protocol (FTP) site to work. This article applies only to IIS 4.0.

For more information about IIS 5.0, click the following article number to view the article in the Microsoft Knowledge Base:

271071 How to set basic NTFS permissions for IIS 5.0


For more information about IIS 6.0, click the following article number to view the article in the Microsoft Knowledge Base:

812614 Default permissions and user rights for IIS 6.0


Note When you install IIS, it creates NTFS access permissions for the default Web site and for the default FTP site for the anonymous user account (IUSR_Computer_Name) and, if applicable, for the application owner user account (IWAM_Computer_Name).

If you try to gain access to a Web page that you do not have access permissions to, you may receive the following error message:

HTTP Error 401 401.3 Unauthorized: Unauthorized due to ACL on resource.

MORE INFORMATION

To access and manage IIS, the local System account and the local Administrators group must have Full Control permissions to all drives on the computer. These permissions can be added at a command prompt. Type the following commands on each NTFS drive that IIS uses for system files and for content:

cd \ 
cacls * /T /E /C /P System:F Administrators:F
                

Note Modifying permissions may take several minutes per drive, depending on the amount of data on that drive. If the drive has no files, you receive the following error message:

The System cannot find the file specified.

To configure the minimum required NTFS permissions for users who access IIS, grant the following directory permissions to the anonymous Internet user account. By default, this is the IUSR_computer_name account. Also, grant the following directory permissions to any other accounts or groups that have to have access to the Web server:

   Directory                            Permissions
   ------------------------------------------------
   Content                                READ (RX)

   Winnt                                  READ (RX)

   Winnt\System32                         READ (RX)

   Winnt\System32\Inetsrv                 READ (RX)

   Program Files\Common Files             READ (RX)
   and all subdirectories
                



Content is defined as anything that the client can access by using the Web browser. This may include such things as Web pages, images, and files. By default, the content folder for the World Wide Web Publishing Service is \InetPub\Wwwroot, and the content folder for the FTP Service is \InetPub\Ftproot.

IIS requires both appropriate NTFS permissions and the appropriate user rights to access the Web server. The following table lists the authentication type and the corresponding user right that is required to use the specified authentication type:

    Authentication type            Required user right
    -------------------            -------------------
    Anonymous                      Log on locally - Password synchronization disabled
    Anonymous                      Access this computer from the network - Password synchronization enabled
    Basic - Clear Text             Log on locally
    NT Challenge Response          Access this computer from the network
    Digest - IIS 5.0 only          Access this computer from the network
    Integrated - IIS 5.0 only      Access this computer from the network
                

For more information about how to determine the authentication types that can be used by different browsers depending on the environment, click the following article number to view the article in the Microsoft Knowledge Base:

229694 How to install and use the IIS security "What If" tool


For additional information, see the "Security" topic in the Windows NT 4.0 Option Pack documentation. To view this topic, locate Microsoft Internet Information Server, locate Server Administration, and then locate Security.

For additional information, see the "Security" topic in the Internet Information Services 5.0 documentation. To view this topic, locate Administration, locate Server Administration, and then locate Security.

For more information about troubleshooting permission issues with IIS, click the following article numbers to view the articles in the Microsoft Knowledge Base:

271071 How to set basic NTFS permissions for IIS 5.0


185874 How to troubleshoot permissions in Internet Information Server 4.0


313075 How to configure Web server permissions for Web content in IIS


120929 How the System Account is used in Windows


148437 Default NTFS permissions in Windows NT


155253 Improper NTFS permissions may result in IIS failure


265161 You receive an error message when you try locate an ASP database result page that was created in FrontPage


216828 Password synchronization/allow IIS to control password may cause problems


For more information about how to connect to a Microsoft Access .mdb file from Active Server Pages (ASP), click the following article number to view the article in the Microsoft Knowledge Base:

251254 "Disk or network error" or "Unspecified error" returned when using Jet



Additional query words: acl access control list manager domains IUSR_<computername> IUSR_<machinename> IUSR_<machine_name> IWAM_<computername> IWAM_<machinename> IWAM_<machine_name> folder folders directories akz

Keywords: kbhowto kbinfo KB187506