Setting NTFS Permissions
Updated: August 22, 2005
Applies To: Windows Server 2003, Windows Server 2003 with SP1
NTFS permissions allow you to set permissions that are observed by IIS and by other Windows Server 2003 components. Windows Server 2003 examines NTFS permissions to determine the types of access a user, or a process, has on a specific file or folder.
Use NTFS permissions in conjunction with Web site permissions, not in place of Web site permissions. NTFS permissions affect only the accounts that have been granted or denied access to the Web site and application content. Web site permissions affect all of the users who access the Web site or application.
|If Web site permissions conflict with NTFS permissions for a directory or file, the more restrictive settings are applied.|
You need to set NTFS permissions to allow the following situations:
Administrators can manage the content of the Web sites and applications.
Users can, at a minimum, read the content of the Web sites and applications.
Application pool identities can, at a minimum, read the content of the Web sites and applications.
Web sites and applications can run under the identity of the following:
The user who is accessing the Web sites and applications
When you want to restrict access to resources, such as specific Web pages or database content that is stored in SQL Server, run your Web sites and applications under the identity of the user. For example, Basic authentication can allow Web sites and applications to pass through the identity of the user to other servers, such as a computer running SQL Server. By using this method, you can control the behavior of the Web site or application on a user-by-user basis.
The application pool identity that is used by the Web sites and applications
When you want to isolate Web sites or applications that are hosted on the same Web server from one another, run the Web sites or applications under the application pool identity. By using this method, you can prevent Web sites and applications from interfering with one another independent of the users who are accessing the Web sites and applications. For more information about isolating Web sites and applications, see Isolating Web Sites and Applications later in this section.
Regardless of the identity that is used to run the Web site or application, you need to assign the appropriate NTFS permissions to the Web site or application so that it can run under the corresponding identity. Typically, these NTFS permissions are assigned to a group to which a number of users belong. Use this group when setting the permissions on the resources.
The primary disadvantage of restricting access by user accounts and NTFS permissions is that each user must have an account and must use that account to run the Web sites and applications. For your Internet-based Web sites and applications, requiring users to have accounts might be impractical. However, for intranet Web sites and applications you can use the existing accounts of users.
Explicitly deny access to anonymous accounts on Web sites and applications when you want to prevent anonymous access. Anonymous access occurs when a user who has no authenticated credentials accesses system resources. Anonymous accounts include the built-in Guest account, the group Guests, and the IIS anonymous accounts.
In addition to explicitly denying access to anonymous accounts, eliminate write access permissions for all users except members of the Administrators group.
|If IIS denies access to content, you can enable object access auditing to find out the account that was used to access the content. The failed access event is recorded in the Security event log. The event log entry specifies the account that was used in the failed access. After you identify the account used in the failed access, grant the appropriate NTFS permissions to the account.|