Set ACLs on Virtual Directories
To set appropriate ACLs on virtual directories
Set the following Access Control Lists (ACLs) for the following file types:
File type
ACL
Common Gateway Interface (CGI) (.exe .dll .cmd .pl)
Everyone (Denied)
Administrators (Full Control)
System (Full Control)
Script files
Everyone (Denied)
Administrators (Full Control)
System (Full Control)
Include files (.inc .shtm .shtml)
Everyone (Denied)
Administrators (Full Control)
System (Full Control)
Static files (.txt .gif .jpg .html)
Everyone (Read)
Administrators (Full Control)
System (Full Control)
Set virtual directory for file types.
Rather than setting ACLs on each file, you should create new directories for each file type, set ACLs on the directory, and allow the ACLs to inherit to the files. For example, a directory structure might look like this:
C:\Inetpub\WWWroot\Myserver\Static (.html)
C:\Inetpub\WWWroot\Myserver\Include (.inc)
C:\Inetpub\WWWroot\Myserver\Script (.asp)
C:\Inetpub\WWWroot\Myserver\Executable (.dll)
C:\Inetpub\WWWroot\Myserver\Images (.gif and .jpeg)
Also, be aware that the following two directories need special attention because both directories have Everyone (Full Control) and should be overridden with something tighter, depending on your level of functionality.
C:\Inetpub\FTProot (FTP server)
C:\Inetpub\Mailroot (SMTP server)
Place the folder on a different volume than the IIS server, if you are going to support Everyone (Write) or use Windows 2000 Disk Quotas to limit the amount of data that can be written to these directories.
Set appropriate IIS log file ACLs. Make sure the ACLs on the IIS-generated log files (% root %\System32\LogFiles) are as follows:
Administrators (Full Control)
System (Full Control)
Everyone (RWC)
This will help to prevent hackers from deleting files to cover their tracks.
Did you find this information useful? Please send your suggestions and comments about the documentation to acdocs@microsoft.com.