Subscribe to Windows IT Pro
February 15, 2001 12:00 AM

Web and FTP Permissions in IIS 5.0

Allen Jones
Windows IT Pro
InstantDoc ID #19773
Rating: (0)
Setting the right permissions for your environment

Author's note: This article is about IIS 5.0 permissions. Although much of the theory will carry over into an IIS 4.0 environment, minor differences will remain.

New administrators trying to set up their first IIS-based Web server or FTP server from scratch find life pretty easy. During Windows 2000 OS installation, you simply tell the wizard that you want WWW and FTP services. After rebooting, you're the proud owner of a shiny new Web or FTP server. But those anonymous servers don't cover every requirement of WWW and FTP services. Some sites require more security, such as usernames and passwords.

You can offer WWW and FTP services anonymously, or the services can require users to provide credentials before they grant access. You can use Secure Sockets Layer (SSL) to make sure users aren't sending those credentials in cleartext. Using one type of authentication in IIS 5.0, you can even require users to have a certificate to access your Web site. (Unfortunately, FTP doesn't have the ability to require a certificate.) In IIS 5.0 and IIS 4.0, the default user account that IIS uses is usually called IUSR_computername. IIS uses this account for anonymous connections to both the Web service and the FTP service. (In Win2K, Microsoft recommends that you use separate accounts for the FTP and WWW services.)

Two distinct types of permissions exist for the WWW and FTP services: IIS and NTFS. People frequently confuse these permissions, although each has unique characteristics. You use NTFS permissions to restrict group and individual user access to files. You use IIS permissions to limit access to the Web server. I compare IIS and NTFS permissions and show you how these permissions work together.

Grant or Deny: Deciding Who Has Access
IIS goes through a complete security-check process before it returns content to the requesting client. As the server receives requests from the client, the server considers these questions in sequential order:

  • Is the IP address permitted? (IP restrictions)
  • Does the request pass the appropriate authentication? (User authentication)
  • Does the Web server allow this type of access? (IIS permissions)
  • Do the NTFS permissions allow access to this file? (NTFS permissions)

Only if the answer to all these questions is yes does the Web server grant access to the resource the Web client is requesting. The server evaluates the IP address against the Web server's list of IP addresses that have been granted or denied access to that resource. You grant or deny access on the IP Address and Domain Name Restrictions dialog box, which Figure 1 shows.

If you've granted access, then the Web server passes an authentication request to the OS. (For more information about IIS 5.0 authentication types, see Brett Hill, "IIS 101: The Basics of IIS Authentication," http://www.iisadministrator.com, InstantDoc ID 15843.) If the authentication request passes, the OS considers the IIS permissions followed by the NTFS permissions.

Setting the Appropriate IIS Permissions
Administrators often overassign IIS permissions to directories that contain scripts and executable files. In the properties for any directory or virtual directory, you must choose one of three levels of Execute permissions, which affect application security. The three choices that appear in the Execute Permissions drop-down list, which Figure 2 shows, are

  • None—This directory has no executable files; therefore, the server won't run scripts or executable files in this directory.
  • Scripts only—If you set this directory to execute only scripts, only scripts such as .asp files can run on the server. The server can execute only those script types you define in the Web server's Application Mappings list, which you access by clicking Configuration on the Home Directory tab of the Web site's Properties dialog box.
  • Scripts and Executables—Other types of executable files can run on the server. Application types aren't limited to the Application Mappings list as they are in the Scripts only permission.

When you've assigned the appropriate IIS permissions for your Web server, you can move on to NTFS permissions and focus on limiting your users to the lowest necessary number of resources.

Limiting Web Server Permissions
Now that you've decided on authentication and IIS permissions, you can focus exclusively on NTFS permissions. If you're installing a new Web server for the first time, you can easily take away all the NTFS permissions to directories and selectively allow access. Going back after the fact and removing permissions from an existing production Web server is far more difficult. Be sure to test any potential changes in a test environment before applying the changes to a production Web server.

You have several choices of groups with which to assign NTFS permissions, and each group has unique characteristics. Let's briefly look at four choices—three built-in groups and one anonymous user account.

  • Everyone—The Everyone group represents everyone known to the Web server. This group includes anyone who presents credentials to the Web server or who could successfully log on to the Web server anonymously. Many new IIS servers use the Everyone group because it's the default group you use to assign permissions when you create the server.
  • IUSR_computername—If you're using Anonymous authentication, use the IUSR_computername account to assign permissions.
  • Interactive—If you're using Basic authentication, the Interactive built-in group represents any and all users who use Basic authentication or the IUSR_computername account to log on (only if you disable the Allow IIS to control password feature).
  • Network User—If you're using Digest or Integrated Windows authentication, the Network user built-in group represents any users who use those authentication methods to log on. This group also controls the Anonymous account (if you enable the Allow IIS to control password feature).

If you use Microsoft FrontPage to manage your Web site, you can use an entirely different set of groups. Those groups are

  • FP Web Name\Admins
  • FP Web Name\Authors
  • FP Web Name\Browsers

Related Content:

ARTICLE TOOLS

Comments
Add A Comment
  • Alan Coler
    10 years ago
    Feb 28, 2002

    I can't get IIS 5.0 on Windows2000 to allow PERL script to write to a file even after setting the read, write, and script permissions for a prticulare folder. I got it to work using the same code on pws 4 on a windows 98 machine. I am logged on as administrator.

    Its able to open the file and read it fine so I know the path is ok.

    What else can I check?

  • Tom Dadakis
    11 years ago
    Mar 01, 2001

    Could you do an article on how MS Office Server Extentions changes or removes the default anonymous user/author/admin accounts which are setup by default in IIS and what should be done to restore these accounts.

    I installed these Office Server Extentions on our intranet server running IIS and wiped out IIS' previously setup default accounts. I had to reinstall the previous default accounts in IIS which had been removed.

    If there is already an article about this, just let me know.

You must log on before posting a comment.

Are you a new visitor? Register Here

advertisement

advertisement

Dev Pro Left-Brain SharePoint Pro SQL Server Pro SuperSite for Windows Windows IT Pro

© 2012 Penton Media, Inc.

Home About Us Advertise Customer Service Privacy Statement Subscribe/Renew Terms Of Use

Windows is a trademark of the Microsoft group of companies. Windows IT Pro is used by Penton Media Inc. under license from owner.