Article ID: 187506
Article Last Modified on 11/11/2005
APPLIES TO
- Microsoft Internet Information Server 4.0
This article was previously published under Q187506
We strongly recommend that all users upgrade to Microsoft Internet Information Services (IIS) version 6.0 running on Microsoft Windows Server 2003. IIS 6.0 significantly increases Web infrastructure security. For more information about IIS security-related topics, visit the following Microsoft Web site:
INTRODUCTION
This article lists the basic NTFS access permissions for an Internet Information Server (IIS) Web site or for a File Transfer Protocol (FTP) site to work. This article applies only to IIS 4.0.
For more information about IIS 5.0, click the following article number to view the article in the Microsoft Knowledge Base:
271071 How to set basic NTFS permissions for IIS 5.0
For more information about IIS 6.0, click the following article number to view the article in the Microsoft Knowledge Base:
812614 Default permissions and user rights for IIS 6.0
Note When you install IIS, it creates NTFS access permissions for the default Web site and for the default FTP site for the anonymous user account (IUSR_Computer_Name) and, if applicable, for the application owner user account (IWAM_Computer_Name).
If you try to gain access to a Web page that you do not have access permissions to, you may receive the following error message:
MORE INFORMATION
To access and manage IIS, the local System account and the local Administrators group must have Full Control permissions to all drives on the computer. These permissions can be added at a command prompt. Type the following commands on each NTFS drive that IIS uses for system files and for content:
cd \ cacls * /T /E /C /P System:F Administrators:F
Note Modifying permissions may take several minutes per drive, depending on the amount of data on that drive. If the drive has no files, you receive the following error message:
To configure the minimum required NTFS permissions for users who access IIS, grant the following directory permissions to the anonymous Internet user account. By default, this is the IUSR_computer_name account. Also, grant the following directory permissions to any other accounts or groups that have to have access to the Web server:
Directory Permissions ------------------------------------------------ Content READ (RX) Winnt READ (RX) Winnt\System32 READ (RX) Winnt\System32\Inetsrv READ (RX) Program Files\Common Files READ (RX) and all subdirectories
Content is defined as anything that the client can access by using the Web browser. This may include such things as Web pages, images, and files. By default, the content folder for the World Wide Web Publishing Service is \InetPub\Wwwroot, and the content folder for the FTP Service is \InetPub\Ftproot.
IIS requires both appropriate NTFS permissions and the appropriate user rights to access the Web server. The following table lists the authentication type and the corresponding user right that is required to use the specified authentication type:
Authentication type Required user right ------------------- ------------------- Anonymous Log on locally - Password synchronization disabled Anonymous Access this computer from the network - Password synchronization enabled Basic - Clear Text Log on locally NT Challenge Response Access this computer from the network Digest - IIS 5.0 only Access this computer from the network Integrated - IIS 5.0 only Access this computer from the network
For more information about how to determine the authentication types that can be used by different browsers depending on the environment, click the following article number to view the article in the Microsoft Knowledge Base:
229694 How to install and use the IIS security "What If" tool
For additional information, see the "Security" topic in the Windows NT 4.0 Option Pack documentation. To view this topic, locate Microsoft Internet Information Server, locate Server Administration, and then locate Security.
For additional information, see the "Security" topic in the Internet Information Services 5.0 documentation. To view this topic, locate Administration, locate Server Administration, and then locate Security.
For more information about troubleshooting permission issues with IIS, click the following article numbers to view the articles in the Microsoft Knowledge Base:
271071 How to set basic NTFS permissions for IIS 5.0
185874 How to troubleshoot permissions in Internet Information Server 4.0
313075 How to configure Web server permissions for Web content in IIS
120929 How the System Account is used in Windows
148437 Default NTFS permissions in Windows NT
155253 Improper NTFS permissions may result in IIS failure
265161 You receive an error message when you try locate an ASP database result page that was created in FrontPage
216828 Password synchronization/allow IIS to control password may cause problems
For more information about how to connect to a Microsoft Access .mdb file from Active Server Pages (ASP), click the following article number to view the article in the Microsoft Knowledge Base:
251254 "Disk or network error" or "Unspecified error" returned when using Jet
Additional query words: acl access control list manager domains IUSR_<computername> IUSR_<machinename> IUSR_<machine_name> IWAM_<computername> IWAM_<machinename> IWAM_<machine_name> folder folders directories akz
Keywords: kbhowto kbinfo KB187506