IIS 6.0 Default Security...

From: Ben Millspaugh (ben_at_refron.com)
Date: 07/30/03 

Date: Wed, 30 Jul 2003 12:53:24 -0700

I have used IIS for years and am in the process of moving
my websites to IIS 6.0 (new servers, not upgrades). I
would like to lock down the security, but I don't want to
lock it down so much that the system can no longer process
the files. I also see that Windows Server 2003 & IIS 6.0
add new users and groups such as ASPNET and the IIS_WPG
group which I want to make sure I include in the security
setting for new websites. I have searched Microsoft's
website for a very simple default list of what users and
groups should be allowed and what permissions they should
have, but I found nothing. I found lots of documents on
how to set the permissions, but none on what to set them.
Please tell me what I should be setting the permissions to
when I create a new website. I can then add on additional
settings as needed. For reference, here is a list of the
default permissions that are assigned to the wwwroot
folder:

Administrators (Group - Administrator): Full

IIS_WPG (Group - IWAM_ServerName, Local Service, Network
Service & System): Read & Execute

Interactive: List Folder Contents

IUSR_ServerName: List Folder Contents

Network: List Folder Contents

Network Service: List Folder Contents

OWS_123456789_admin (Group - Administrators Group): List
Folder Contents

OWS_987654321_admin (Group - Administrator): List Folder
Contents

System: Full

Users (Group - ASPNET, Authenticated Users Group,
Interactive): Read & Execute

As you can see there are a lot of permissions and some of
them are redundant. I need to create new root level
folders for other websites and I want to make sure that I
copy over exactly what I need.

Thanks in advance, Ben

Relevant Pages

  • RE: IIS 6.0 Default Security...
    ... The IIS 6.0 Deployment Guide has a whole chapter dedicted to IIS 6 ... Security, including permissions, policies, best practices, and other ... there will be a KB article outlining the minimum permissions needed ... | IUSR_ServerName: List Folder Contents ...
    (microsoft.public.inetserver.iis.security)
  • Windows 2000 FrontPage 2000 Server Extensions foolproof Method
    ... I thought I would give a method of fixing a common issue with the FrontPage 2000 Server Extensions in IIS 5. ... So first we check the NTFS permissions on D:\this and all its contents. ... Read and Execute; List Folder Contents; Read ...
    (microsoft.public.frontpage.extensions.windowsnt)
  • Re: cannot access site by IP - bad request invalid hostname
    ... You call the above two websites, but from IIS perspective, it is one website ... Request", ... The xxx.xxx.xxx.69 was setup initially with the server setup. ...
    (microsoft.public.inetserver.iis)
  • Re: HOW MORE FRUSTRATING CAN THIS GET!!!
    ... SBS2K3 although you referred to an SBS2K in your original ... Win2K3 IIS security changed fairly ... You now have two main avenues to deploy websites besides ... >> but I have no experience with SBS. ...
    (microsoft.public.isa)
  • Re: ISS problem
    ... It sounds like you are running Small Business Server. ... IIS will keep backup copies of its configuration (check in the IIS Manager ... Since they are independent websites, ... sure that both websites do NOT share the same IP, Port, and Host header. ...
    (microsoft.public.inetserver.iis)