Configure NTFS Permissions

Applies To: Windows Server 2003, Windows Server 2003 with SP1

Use NTFS permissions to define the level of access to your directories and files that you want to grant to specific users and groups of users. Proper configuration of file and directory permissions is crucial for preventing unauthorized access to your resources.

Requirements

  • Credentials: Membership in the Administrators group on the local computer.

  • Tools: Iis.msc.

Recommendation

As a security best practice, log on to your computer using an account that is not in the Administrators group, and then use the Run as command to run IIS Manager as an administrator. At the command prompt, type **runas /user:**administrative_accountname mmc %systemroot%\system32\inetsrv\iis.msc.

Procedures

To secure a Web site by using NTFS permissions

  1. In IIS Manager, expand the local computer, right-click the Web site or file you want to configure, and click Permissions.

    • To add a group or user that does not appear in the Group or user names list box, click Add, and in the Enter the object names to select text box, type the name of the user or group. Click OK.

      -OR-

    • To change or remove permissions from an existing group or user, click the name of the group or user in the Group or user names list box.

  2. To allow or deny a permission such as Read & Execute, List Folder Contents, Read, or Write, in the Permissions for group or user name list box, select the Allow or Deny check box next to the appropriate permission, and then click OK.

    Important

    Inherited Deny permissions do not prevent access to an object if the object has an explicit Allow permission entry. Explicit permissions take precedence over inherited permissions, including inherited Deny permissions.

With NTFS permissions, you also have the choice of assigning special permissions to groups or users. Special permissions are permissions on a more detailed level. For better management, you should assign broad-level permissions to users or groups, where it is applicable. For descriptions of permissions, see "Permissions for files and folders" in Help and Support Center for Windows ServerĀ 2003.

To secure a Web site using NTFS special permissions

  1. In IIS Manager, expand the local computer, right-click a Web site or file you want to configure, and click Permissions.

  2. Click Advanced, and then do one of the following on the Permissions tab:

    • To set special permissions for an additional group or user, click Add, and in the Enter the object name to select text box, type the name of the user or group. Click OK.

    • To view or change special permissions for an existing group or user, click the name of the group or user, and then click Edit.

    • To remove an existing group or user and its special permissions, click the name of the group or user and then click Remove. If the Remove button is unavailable, clear the Allow inheritable permissions from the parent to propagate to this object and all child objects. Include these with entries exclusively defined here. check box, and then click Remove. Click OK and skip steps 3-6 below.

  3. To allow or deny a permission such as Read & Execute, List Folder Contents, Read, or Write, in the Permissions list box, select the Allow or Deny check box next to the appropriate permission.

  4. In the Apply onto list box, click the folders or subfolders you want these permissions to be applied to.

  5. To prevent the subfolders and files from inheriting these permissions, clear the Apply these permissions to objects and/or containers within this container only check box, and then click OK three times.

Important

It is recommended that you assign permissions to the highest-level folders as possible and then apply inheritance to propagate the settings to lower-level subfolders and files. For more information on inheritance, see "How inheritance affects file and folder permissions" in Help and Support Center for Windows Server 2003.