Default permissions and user rights for IIS 6.0
INTRODUCTIONThis article describes the default permissions and the user rights on a newly installed application server that has Internet Information Services (IIS) 6.0 installed. Back to the top
MORE INFORMATION
The following tables document the NTFS file system permissions, registry permissions, and Microsoft Windows user rights. This information applies if Microsoft ASP.NET is included as part of the installation suite. This article focuses on the World Wide Web Publishing Service and does not consider other components, such as the File Transfer Protocol (FTP) service, the Simple Mail Transfer Protocol (SMTP) service, and Microsoft FrontPage Server Extensions (FPSE).
Note For the purposes of this document, the IUSR_MachineName account is used interchangeably with a configured anonymous account. Back to the top
NTFS permissions
DirectoryUsers\GroupsPermissions%windir%\help\iishelp\commonAdministratorsFull control%windir%\help\iishelp\commonSystemFull control%windir%\help\iishelp\commonIIS_WPGRead, execute%windir%\help\iishelp\commonUsers (See Note 1.)Read, execute%windir%\IIS Temporary Compressed FilesAdministratorsFull control%windir%\IIS Temporary Compressed FilesSystemFull control%windir%\IIS Temporary Compressed FilesIIS_WPGFull control%windir%\IIS Temporary Compressed FilesCreator ownerFull control%windir%\system32\inetsrvAdministratorsFull control%windir%\system32\inetsrvSystemFull control%windir%\system32\inetsrvUsersRead, execute%windir%\system32\inetsrv\*.vbsAdministratorsFull control%windir%\system32\inetsrv\ASP compiled templatesAdministratorsFull control%windir%\system32\inetsrv\ASP compiled templatesIIS_WPGFull control%windir%\system32\inetsrv\HistoryAdministratorsFull control%windir%\system32\inetsrv\HistorySystemFull control%windir%\system32\LogfilesAdministratorsFull control%windir%\system32\inetsrv\metabackAdministratorsFull control%windir%\system32\inetsrv\metabackSystemFull controlInetpub\AdminscriptsAdministratorsFull controlInetpub\wwwroot (or content directories)AdministratorsFull controlInetpub\wwwroot (or content directories)SystemFull controlInetpub\wwwroot (or content directories)IIS_WPGRead, executeInetpub\wwwroot (or content directories)IUSR_MachineNameRead, executeInetpub\wwwroot (or content directories)ASPNET (See Note 2.) Read, executeNote 1 You must have permissions to this directory when you use Basic authentication or Integrated authentication and when custom errors are configured. For example, when error 401.1 occurs, the logged-on user sees the expected detailed custom error only if permissions to read the 4011.htm file have been granted to that user.
Note 2 By default, ASP.NET is used as the ASP.NET process identity in IIS 5.0 isolation mode. If ASP.NET is switched to IIS 5.0 isolation mode, ASP.NET must have access to the content areas. ASP.NET process isolation is detailed in IIS Help. For additional information, visit the following Microsoft Web site:
ASP.NET process isolation
http://www.microsoft.com/technet/prodtechnol/WindowsServer2003/Library/IIS/e409289d-2786-4a34-bb7e-9c546602c2c8.mspx (http://www.microsoft.com/technet/prodtechnol/WindowsServer2003/Library/IIS/e409289d-2786-4a34-bb7e-9c546602c2c8.mspx)Back to the top
Registry permissions
LocationUsers\GroupsPermissionsHKLM\System\CurrentControlSet\Services\ASPAdministratorsFull controlHKLM\System\CurrentControlSet\Services\ASPSystemFull controlHKLM\System\CurrentControlSet\Services\ASPIIS_WPGReadHKLM\System\CurrentControlSet\Services\HTTPAdministratorsFull controlHKLM\System\CurrentControlSet\Services\HTTPSystemFull controlHKLM\System\CurrentControlSet\Services\HTTPIIS_WPGReadHKLM\System\CurrentControlSet\Services\IISAdminAdministratorsFull controlHKLM\System\CurrentControlSet\Services\IISAdminSystemFull controlHKLM\System\CurrentControlSet\Services\IISAdminIIS_WPGReadHKLM\System\CurrentControlSet\Services\w3svcAdministratorsFull controlHKLM\System\CurrentControlSet\Services\w3svcSystemFull controlHKLM\System\CurrentControlSet\Services\w3svcIIS_WPGReadBack to the top
Windows user rights
PolicyUsersAccess this computer from the networkAdministratorsAccess this computer from the networkASPNETAccess this computer from the networkIUSR_MachineNameAccess this computer from the networkIWAM_MachineNameAccess this computer from the networkUsersAdjust memory quotas for a processAdministratorsAdjust memory quotas for a processIWAM_MachineNameAdjust memory quotas for a processLocal serviceAdjust memory quotas for a processNetwork serviceBypass traverse checkingIIS_WPG Allow log on locally (see Note)AdministratorsAllow log on locally (see Note)IUSR_MachineNameDeny logon locallyASPNETImpersonate a client after authenticationAdministratorsImpersonate a client after authenticationASPNETImpersonate a client after authenticationIIS_WPGImpersonate a client after authenticationServiceLog on as a batch jobASPNETLog on as a batch jobIIS_WPGLog on as a batch jobIUSR_MachineNameLog on as a batch jobIWAM_MachineNameLog on as a batch jobLocal serviceLogon as a serviceASPNETLogon as a serviceNetwork serviceReplace a process level tokenIWAM_MachineNameReplace a process level tokenLocal serviceReplace a process level tokenNetwork serviceNote In a new default installation of Microsoft Windows Server 2003 with IIS 6.0, the Users group and the Everyone group have Bypass traverse checking permissions. The worker process identity inherits Bypass traverse checking permissions through one of these groups. If both groups are removed from Bypass traverse checking permissions, and the worker process identity does not inherit Bypass traverse checking permissions through any other assignment, the worker process does not start. If the Users group and the Everyone group must be removed from the Bypass traverse checking permissions, add the IIS_WPG group to permit IIS to function as expected.
Note In IIS 6.0, when Basic authentication is configured as one of the authentication options, the LogonMethod metabase property for Basic authentication is NETWORK_CLEARTEXT. The NETWORK_CLEARTEXT logon type does not require the Allow log on locally user right. This also applies to Anonymous authentication. For additional information, see the "Basic Authentication Default Logon Type" topic in IIS Help. You can also visit the following Microsoft Web site:
Basic authentication
http://www.microsoft.com/technet/prodtechnol/WindowsServer2003/Library/IIS/cf438d2c-f9c7-4351-bf56-d2ab950d7d6e.mspx (http://www.microsoft.com/technet/prodtechnol/WindowsServer2003/Library/IIS/cf438d2c-f9c7-4351-bf56-d2ab950d7d6e.mspx)
页:
[1]