How to configure Web server permissions for Web content in IIS Page 1 of 4

Article ID: 313075 - Last Review: November 21, 2006 - Revision: 1.4
How to configure Web server permissions for Web content in IIS
Retired KB Content Disclaimer

This article was previously published under Q313075

This step-by-step article describes how to grant Web server permissions for Web
content using Internet Information Services (IIS) 5.0.

You can grant Web server permissions for specific Web sites, folders, and files on
your server. Unlike the NTFS file system permissions that apply only to either a
specific user or a group of users that have a valid Windows account, Web server
permissions apply to all users that access your Web site regardless of their specific
access rights.

Web access permissions use the IUSR_computername account by default. When

you install IIS, the IUSER_computername account is created and used as the
default anonymous user account. When you enable anonymous access, IIS uses the
IUSER_computername account to log on all users who access your site.

The IUSR_computername account is granted NTFS permissions for the folders that
make up the Web sites on your server. However, you can change the permissions
for any folder or file in your site. For example, you can use Web server permissions
to control whether visitors to your Web site are allowed to view a particular Web
page, upload information, or run scripts.

When you configure both Web server permissions and Windows NTFS permissions,
you can control how users access your Web content on multiple levels, from the
entire Web site to individual files.

You can assign strong NTFS permissions for your resources. The NTFS file system is
more secure than the FAT or FAT32 file system. You can also assign the most
restrictive Web permissions possible. For example, if the Web site is used only for
viewing information, assign only Read permissions. If a directory or site contains
applications, assign Scripts only permissions instead of Scripts and Executables
permissions. Do not assign Write and Script source access permissions or Scripts
and Executables permissions. Use this combination with extreme caution. It could
allow a user to upload potentially harmful executable files to the server and run
them.

How to grant Web server permissions for Web content

1. Start Internet Services Manager. Alternatively, start the IIS snap-in.

2. Click to expand * server name, where server name is the name of the
server.
3. Right-click either the Web site, the virtual directory, the folder, or the file for
which you want to grant permissions, and then click Properties.
4. Click one of the following tabs that is appropriate to your situation:

Home Directory

http://support.microsoft.com/kb/313075 4/9/2010
How to configure Web server permissions for Web content in IIS Page 2 of 4

Virtual Directory

Directory

File

5. Either click to select or click to clear any of the following check boxes (if
present) that are appropriate for the level of Web permissions that you want
to grant:

Script Source Access: Grant this permission to allow users to
access source code. Script Source Access includes source code for
scripts, such as scripts in Active Sever Pages (ASP) programs. Note
that this permission is only available if you grant either the Read or
the Write permissions.

NOTE: When you click Script Source Access, users may be able to
view sensitive information, such as a user name and a password,
from scripts in an ASP program. They are also able to change source
code that runs on your server, which can seriously affect the security
and the performance of your server. It is recommended that you
handle access to this type of information and to these functions using
individual Windows accounts and higher-level authentication, such as
integrated Windows authentication.

Read: Grant this permission to allow users to either view or
download files or folders and their associated properties. Read
permissions are selected by default.

Write: Grant this permission to allow users either to upload files and
their associated properties to the enabled folder on your server or to
change the content or properties of a write-enabled file.

Directory browsing: Grant this permission to allow users to view a
hypertext listing of the files and the subfolders in the virtual
directory. Note that virtual directories are not displayed in folder
listings; users must know a virtual directory's alias.

NOTE: An "Access Forbidden" error message is displayed by your

Web server in a user's Web browser if the user attempts to access
either a file or folder on your server and both of the following
conditions are true:
 Directory browsing is disabled.

-and-
 The user does not specify a file name such as Filename.htm in
the Address box.

Log visits: Grant this permission to log visits to this folder in a log
file. A log entry is recorded only if logging is enabled for the Web site.

Index this resource: Grant this permission to allow Microsoft
Indexing Service to include this folder in a full-text index of the Web
site. When you grant this permission, users can perform queries on
this resource.
6. In the Execute Permissions box, chose a setting to determine how you
want scripts to be run on the site. The following settings are available:

None: Click this setting if you do not want users to run scripts or
executable programs on the server. When you use this setting, users
can gain access only to static files such as Hypertext Markup
Language (HTML) and image files.

http://support.microsoft.com/kb/313075 4/9/2010
How to configure Web server permissions for Web content in IIS Page 3 of 4

Scripts only: Click this setting to run scripts such as ASP programs
on the server.

Scripts and Executables: Click this setting to run both scripts such
as ASP programs and executable programs on the server.
7. Click OK, and then quit Internet Services Manager or quit the IIS snap-in.

NOTES:

 When you try to change security properties for a Web site or virtual
directory, IIS checks the existing settings on the child nodes (virtual
directories and files) that are contained within that Web site or virtual
directory. If the permissions that are set at the lower levels are different, IIS
displays an Inheritance Overrides dialog box. To specify which child nodes
should inherit the permissions that you set at the higher level, click the node
or nodes in the Child Nodes list, and then click OK. The child node inherits
the new permissions settings.
 If Web permissions and NTFS permissions differ for either a folder or a file,
the more restrictive of the two settings is used. For example, if you grant
Write permissions to a folder in IIS, and grant Read permissions to a
particular user group in NTFS, those users cannot write files to the folder
because Read permissions are more restrictive.
 If you disable Web server permissions (for example, Read permissions) on a
resource, all users are restricted from viewing that resource, regardless of
the NTFS permissions that are applied to those users' accounts. If you
enable Web server permissions (for example, Read permissions) on a
resource, all users can view that resource unless NTFS permissions that
restrict access to it are also applied.

For more information about how to grant Web server and NTFS permissions for Web
content, refer to the "Access Control" topic in the "Security" section of the IIS 5.0
Online Documentation. To view the documentation, start Microsoft Internet
Explorer, and then type the following address in the Address bar:
http://localhost/iisHelp/ (http://localhost/iisHelp/)

For more information about how to control access to Web content, click the
following article numbers to view the articles in the Microsoft Knowledge Base:
300985 (http://support.microsoft.com/kb/300985/ ) How to configure user and
group access on a Windows NT 4.0-based or Windows 2000-based intranet

187506 (http://support.microsoft.com/kb/187506/ ) List of NTFS permissions

required for IIS site to work

271071 (http://support.microsoft.com/kb/271071/ ) Minimum NTFS permissions

required for IIS 5.0 to work

For more information about IIS security, click the following article numbers to view
the articles in the Microsoft Knowledge Base:
282060 (http://support.microsoft.com/kb/282060/ ) Resources for securing
Internet Information Services

266115 (http://support.microsoft.com/kb/266115/ ) Resources for installing and

http://support.microsoft.com/kb/313075 4/9/2010
How to configure Web server permissions for Web content in IIS Page 4 of 4

using IIS 5.0

APPLIES TO

 Microsoft Internet Information Services 5.0

Keywords: kbhowtomaster KB313075

Retired KB Content Disclaimer

This article was written about products for which Microsoft no longer offers support.
Therefore, this article is offered "as is" and will no longer be updated.

Get Help Now

Contact a support professional by E-mail, Online, or Phone

Microsoft Support ©2010 Microsoft

http://support.microsoft.com/kb/313075 4/9/2010