I had a request from a client to review the NTFS permissions on their IIS web servers. They are running public sites on IIS 8.5 with anonymous access.
They had not changed the default NTFS permissions but run into the problem that not all users on the server should have access to their web files.
Lets look at the default ACLs:
BUILTIN\IIS_IUSRS:(RX) BUILTIN\IIS_IUSRS:(OI)(CI)(IO)(GR,GE) NT SERVICE\TrustedInstaller:(I)(F) NT SERVICE\TrustedInstaller:(I)(OI)(CI)(IO)(F) NT AUTHORITY\SYSTEM:(I)(F) NT AUTHORITY\SYSTEM:(I)(OI)(CI)(IO)(F) BUILTIN\Administrators:(I)(F) BUILTIN\Administrators:(I)(OI)(CI)(IO)(F) BUILTIN\Users:(I)(RX) BUILTIN\Users:(I)(OI)(CI)(IO)(GR,GE) CREATOR OWNER:(I)(OI)(CI)(IO)(F)
The problem here is the
users entry. It allows any user on the server to read the files in wwwroot.
users entry results in a 401.3 http status. Why is read-access for the builtin
IIS_IUSRS not enough?
After all the working process for the Application pool runs under
IIS APPPOOL\DefaultAppPool, which is automatically a member of the
If we give the builtin user
IUSR read access, the site works again, this is because IIS impersonates the
IUSR account to access files when in anonymous mode.
So the first option is to replace
IUSR. In general I like to avoid using single user accounts in Access Control Lists, even if there are builtin ones.
There is an option to solve this without using
IUSR, we just have to tell IIS not to use it.
On the machine or site level we can specify which account to use for impersonation when using anonymous authentication, by default this is
IUSR, but if we change that to
Application pool identity we already have the correct permissions in place.
For the whole server:
Set-WebConfigurationProperty -pspath 'MACHINE/WEBROOT/APPHOST' -filter "system.webServer/security/authentication/anonymousAuthentication" -name "userName" -value ""
For a specific site:
Set-WebConfigurationProperty -pspath 'MACHINE/WEBROOT/APPHOST' -location 'SiteName' -filter "system.webServer/security/authentication/anonymousAuthentication" -name "userName" -value ""
In other cases you may want to be more specific about your NTFS permissions and only allow the specific AppPool to access any files for the sites it handles. In this case remove
IIS_IUSRS as well.