Has anyone actually figured out the exact required permissions for serving up web pages in IIS?
It seems there are a lot of different answers out there.
Is there any correctness in the following:
SET READ AND EXECUTE SCRIPTS FOR:
ASPNET
IUSR_(servername)
IUSR_Destination
IWAM_(servername)
IWAM_Destination
IIS_
INTERACTIVE
NETWORK
USERS
Is there a simpler way to set permissions on a folder that has ASP pages in it?
Any leads to a comprehensive discussion on this topic would be appreciated.
cheers
Full Version: Permissions in IIS for webpages
ASP pages only require that the anonymous user on the site in IIS have read access to the files. .NET otoh is going to require NETWORK SERVICE permissions be present. The others don't come into play unless you have FrontPage Extensions installed on the site.
Hi Kyle-
Thanks for the reply. I have a login.aspx system on my webpage, so I did not think I want to allow Anonymous access. I've been able to get it to work with setting the permissions mentioned above, but it seems like it is too much.
Wouldn't Anonymous negate the whole sign-in system?
cheers
Thanks for the reply. I have a login.aspx system on my webpage, so I did not think I want to allow Anonymous access. I've been able to get it to work with setting the permissions mentioned above, but it seems like it is too much.
Wouldn't Anonymous negate the whole sign-in system?
cheers
QUOTE (Kyle @ Dec 3 2007, 02:49 PM) 
ASP pages only require that the anonymous user on the site in IIS have read access to the files. .NET otoh is going to require NETWORK SERVICE permissions be present. The others don't come into play unless you have FrontPage Extensions installed on the site.
When I refer to the anonymous user, I'm talking about the user defined under Directory Security. These are the credentials anybody accessing the site assume when accessing files and the way IIS manages security. Let's just say you're using the default IUSR_SERVER account for example. If the ACLs on the files in that site's wwwroot don't permit read access for IUSR_SERVER, the user will get a 401.3 response code. If "Integrated Windows Authentication" is enabled, they will get an NTLM authentication challenge and the opportunity to auth as another user on the server that may (or may not) have access to those files. The same will happen if "Basic Authentication" is enabled, but the response would be sent back unencrypted.
Since you're using ASP.NET, still assuming we're using IUSR_SERVER, you would only require IUSR_SERVER, SYSTEM, and NETWORK SERVICE to be present on the files in order for visitors to be able to access them.
Looking at the permissions you listed, IUSR_DESTINATION is actually the default server name that was used (I don't know if it still is) when TP provisioned a server. If you've changed your server name since then and redefined the accounts in IIS (just edit the root "Web Sites" node), you are safe to delete it. The same goes for IWAM_DESTINATION, although you might want to be a bit more careful about the permissions on that one.
Follow the instructions at http://support.microsoft.com/kb/297989 to help you with that. Of course, you're also welcome to leave everything as is and just stick with the _DESTINATION accounts if you want. I just change it because little stuff like that bugs me. I have a bit of a complex with my servers.
Since you're using ASP.NET, still assuming we're using IUSR_SERVER, you would only require IUSR_SERVER, SYSTEM, and NETWORK SERVICE to be present on the files in order for visitors to be able to access them.
Looking at the permissions you listed, IUSR_DESTINATION is actually the default server name that was used (I don't know if it still is) when TP provisioned a server. If you've changed your server name since then and redefined the accounts in IIS (just edit the root "Web Sites" node), you are safe to delete it. The same goes for IWAM_DESTINATION, although you might want to be a bit more careful about the permissions on that one.
Follow the instructions at http://support.microsoft.com/kb/297989 to help you with that. Of course, you're also welcome to leave everything as is and just stick with the _DESTINATION accounts if you want. I just change it because little stuff like that bugs me. I have a bit of a complex with my servers.
Fantastic, Kyle
You've shed the light I needed on this aspect of security.
Thanks!
You've shed the light I needed on this aspect of security.
Thanks!
QUOTE (Kyle @ Dec 3 2007, 06:29 PM)
When I refer to the anonymous user, I'm talking about the user defined under Directory Security. These are the credentials anybody accessing the site assume when accessing files and the way IIS manages security. Let's just say you're using the default IUSR_SERVER account for example. If the ACLs on the files in that site's wwwroot don't permit read access for IUSR_SERVER, the user will get a 401.3 response code. If "Integrated Windows Authentication" is enabled, they will get an NTLM authentication challenge and the opportunity to auth as another user on the server that may (or may not) have access to those files. The same will happen if "Basic Authentication" is enabled, but the response would be sent back unencrypted.
Since you're using ASP.NET, still assuming we're using IUSR_SERVER, you would only require IUSR_SERVER, SYSTEM, and NETWORK SERVICE to be present on the files in order for visitors to be able to access them.
Looking at the permissions you listed, IUSR_DESTINATION is actually the default server name that was used (I don't know if it still is) when TP provisioned a server. If you've changed your server name since then and redefined the accounts in IIS (just edit the root "Web Sites" node), you are safe to delete it. The same goes for IWAM_DESTINATION, although you might want to be a bit more careful about the permissions on that one.
Follow the instructions at http://support.microsoft.com/kb/297989 to help you with that. Of course, you're also welcome to leave everything as is and just stick with the _DESTINATION accounts if you want. I just change it because little stuff like that bugs me. I have a bit of a complex with my servers.
Since you're using ASP.NET, still assuming we're using IUSR_SERVER, you would only require IUSR_SERVER, SYSTEM, and NETWORK SERVICE to be present on the files in order for visitors to be able to access them.
Looking at the permissions you listed, IUSR_DESTINATION is actually the default server name that was used (I don't know if it still is) when TP provisioned a server. If you've changed your server name since then and redefined the accounts in IIS (just edit the root "Web Sites" node), you are safe to delete it. The same goes for IWAM_DESTINATION, although you might want to be a bit more careful about the permissions on that one.
Follow the instructions at http://support.microsoft.com/kb/297989 to help you with that. Of course, you're also welcome to leave everything as is and just stick with the _DESTINATION accounts if you want. I just change it because little stuff like that bugs me. I have a bit of a complex with my servers.
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.