Web Site Permissions
Updated: August 22, 2005
Applies To: Windows Server 2003, Windows Server 2003 with SP1
When configuring access control for your servers, it is important to understand the distinction between Web site permissions and NTFS permissions. Unlike NTFS permissions, Web site permissions apply to all of the users that access your Web sites. NTFS permissions apply only to a specific user or group of users with a valid Windows account. NTFS permissions control access to physical directories on your server, whereas Web site permissions control access to virtual directories on your Web site. For example, you can use Web site permissions to control whether users visiting your Web site are allowed to view a particular page, upload information, or run scripts on the site.
|If Web site permissions conflict with NTFS permissions for a directory or file, the more restrictive settings are applied.|
IIS 6.0 supports the following Web site permissions:
Read. Users can view file content and properties. This permission is set by default.
Write. Users can change content and properties of directories or files
Important Allowing users to have Read and Write access to source code can compromise the security of your server.
Script source access. Users can access the source code for files, such as the scripts in an ASP application. This option is available only if Read or Write permissions are assigned. If the Read permission is assigned, users can view the source code. If the Write permission is assigned, users can view and modify the source code.
Note When you use this option, users might be able to view sensitive information, such as a user name and a password, from scripts in an ASP program. They might also be able to change source code that runs on your server. This can seriously affect the security and the performance of your server. You might want to control access to this type of information and to these functions by using individual Windows accounts and a higher-level authentication method, such as Integrated Windows authentication.
Directory browsing. Users can view file lists and collections.
Log visits. A log entry is created for each visit to the Web site.
Index this resource. Allows Indexing Service to index this resource.
Whereas Web site permissions control whether users can access sites, code, or pages, another set of permissions, which are known as Execute permissions, control whether scripts and other executables can be run.
The following Execute permissions are supported by IIS 6.0:
None. Prevents all scripts and executables from running.
Scripts only. Enables applications that are mapped to a script engine to run in this directory, even if the applications are not assigned permissions for executables.
Scripts and Executables. Enables any application to run in this directory, including applications that are mapped to script engines and Windows binaries (.dll and .exe files).
The Scripts only permission is more secure than the Scripts and Executables permission because the Scripts only permission allows you to limit the applications that can be run in the directory. For information about how to configure Web site permissions, see Securing Sites with Web Site Permissions.