Default permissions and user rights for IIS 6.0

89ou

INTRODUCTION

This article describes the default permissions and the user rights on a newly installed application server that has Internet Information Services (IIS) 6.0 installed. Back to the top
MORE INFORMATION

The following tables document the NTFS file system permissions, registry permissions, and Microsoft Windows user rights. This information applies if Microsoft ASP.NET is included as part of the installation suite. This article focuses on the World Wide Web Publishing Service and does not consider other components, such as the File Transfer Protocol (FTP) service, the Simple Mail Transfer Protocol (SMTP) service, and Microsoft FrontPage Server Extensions (FPSE).

Note For the purposes of this document, the IUSR_MachineName account is used interchangeably with a configured anonymous account. Back to the top
NTFS permissions

Directory	Users\Groups	Permissions
%windir%\help\iishelp\common	Administrators	Full control
%windir%\help\iishelp\common	System	Full control
%windir%\help\iishelp\common	IIS_WPG	Read, execute
%windir%\help\iishelp\common	Users (See Note 1.)	Read, execute
%windir%\IIS Temporary Compressed Files	Administrators	Full control
%windir%\IIS Temporary Compressed Files	System	Full control
%windir%\IIS Temporary Compressed Files	IIS_WPG	Full control
%windir%\IIS Temporary Compressed Files	Creator owner	Full control
%windir%\system32\inetsrv	Administrators	Full control
%windir%\system32\inetsrv	System	Full control
%windir%\system32\inetsrv	Users	Read, execute
%windir%\system32\inetsrv\*.vbs	Administrators	Full control
%windir%\system32\inetsrv\ASP compiled templates	Administrators	Full control
%windir%\system32\inetsrv\ASP compiled templates	IIS_WPG	Full control
%windir%\system32\inetsrv\History	Administrators	Full control
%windir%\system32\inetsrv\History	System	Full control
%windir%\system32\Logfiles	Administrators	Full control
%windir%\system32\inetsrv\metaback	Administrators	Full control
%windir%\system32\inetsrv\metaback	System	Full control
Inetpub\Adminscripts	Administrators	Full control
Inetpub\wwwroot (or content directories)	Administrators	Full control
Inetpub\wwwroot (or content directories)	System	Full control
Inetpub\wwwroot (or content directories)	IIS_WPG	Read, execute
Inetpub\wwwroot (or content directories)	IUSR_MachineName	Read, execute
Inetpub\wwwroot (or content directories)	ASPNET (See Note 2.)	Read, execute

Note 1 You must have permissions to this directory when you use Basic authentication or Integrated authentication and when custom errors are configured. For example, when error 401.1 occurs, the logged-on user sees the expected detailed custom error only if permissions to read the 4011.htm file have been granted to that user.

Note 2 By default, ASP.NET is used as the ASP.NET process identity in IIS 5.0 isolation mode. If ASP.NET is switched to IIS 5.0 isolation mode, ASP.NET must have access to the content areas. ASP.NET process isolation is detailed in IIS Help. For additional information, visit the following Microsoft Web site:

ASP.NET process isolation
http://www.microsoft.com/technet/prodtechnol/WindowsServer2003/Library/IIS/e409289d-2786-4a34-bb7e-9c546602c2c8.mspx (http://www.microsoft.com/technet/prodtechnol/WindowsServer2003/Library/IIS/e409289d-2786-4a34-bb7e-9c546602c2c8.mspx)Back to the top
Registry permissions

Location	Users\Groups	Permissions
HKLM\System\CurrentControlSet\Services\ASP	Administrators	Full control
HKLM\System\CurrentControlSet\Services\ASP	System	Full control
HKLM\System\CurrentControlSet\Services\ASP	IIS_WPG	Read
HKLM\System\CurrentControlSet\Services\HTTP	Administrators	Full control
HKLM\System\CurrentControlSet\Services\HTTP	System	Full control
HKLM\System\CurrentControlSet\Services\HTTP	IIS_WPG	Read
HKLM\System\CurrentControlSet\Services\IISAdmin	Administrators	Full control
HKLM\System\CurrentControlSet\Services\IISAdmin	System	Full control
HKLM\System\CurrentControlSet\Services\IISAdmin	IIS_WPG	Read
HKLM\System\CurrentControlSet\Services\w3svc	Administrators	Full control
HKLM\System\CurrentControlSet\Services\w3svc	System	Full control
HKLM\System\CurrentControlSet\Services\w3svc	IIS_WPG	Read

Back to the top
Windows user rights

Policy	Users
Access this computer from the network	Administrators
Access this computer from the network	ASPNET
Access this computer from the network	IUSR_MachineName
Access this computer from the network	IWAM_MachineName
Access this computer from the network	Users
Adjust memory quotas for a process	Administrators
Adjust memory quotas for a process	IWAM_MachineName
Adjust memory quotas for a process	Local service
Adjust memory quotas for a process	Network service
Bypass traverse checking	IIS_WPG
Allow log on locally (see Note)	Administrators
Allow log on locally (see Note)	IUSR_MachineName
Deny logon locally	ASPNET
Impersonate a client after authentication	Administrators
Impersonate a client after authentication	ASPNET
Impersonate a client after authentication	IIS_WPG
Impersonate a client after authentication	Service
Log on as a batch job	ASPNET
Log on as a batch job	IIS_WPG
Log on as a batch job	IUSR_MachineName
Log on as a batch job	IWAM_MachineName
Log on as a batch job	Local service
Logon as a service	ASPNET
Logon as a service	Network service
Replace a process level token	IWAM_MachineName
Replace a process level token	Local service
Replace a process level token	Network service

Note In a new default installation of Microsoft Windows Server 2003 with IIS 6.0, the Users group and the Everyone group have Bypass traverse checking permissions. The worker process identity inherits Bypass traverse checking permissions through one of these groups. If both groups are removed from Bypass traverse checking permissions, and the worker process identity does not inherit Bypass traverse checking permissions through any other assignment, the worker process does not start. If the Users group and the Everyone group must be removed from the Bypass traverse checking permissions, add the IIS_WPG group to permit IIS to function as expected.

Note In IIS 6.0, when Basic authentication is configured as one of the authentication options, the LogonMethod metabase property for Basic authentication is NETWORK_CLEARTEXT. The NETWORK_CLEARTEXT logon type does not require the Allow log on locally user right. This also applies to Anonymous authentication. For additional information, see the "Basic Authentication Default Logon Type" topic in IIS Help. You can also visit the following Microsoft Web site:

Basic authentication
http://www.microsoft.com/technet/prodtechnol/WindowsServer2003/Library/IIS/cf438d2c-f9c7-4351-bf56-d2ab950d7d6e.mspx (http://www.microsoft.com/technet/prodtechnol/WindowsServer2003/Library/IIS/cf438d2c-f9c7-4351-bf56-d2ab950d7d6e.mspx)