Securing a Web Site Using NTFS Permissions

  • Article

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1

You can strengthen the security of a Web site by configuring NTFS permissions for directories, virtual directories, or the Web site itself.

Important

You must be a member of the Administrators group on the local computer to perform the following procedure or procedures. As a security best practice, log on to your computer by using an account that is not in the Administrators group, and then use the runas command to run IIS Manager as an administrator. At a command prompt, type runas /user:Administrative_AccountName "mmc %systemroot%\system32\inetsrv\iis.msc".

Procedures

To secure a Web site by using NTFS permissions

  1. In IIS Manager, expand the local computer, right-click a Web site or file, and then click Permissions.

    Do one of the following:

    Task Procedure

    Add a group or user that does not appear in the Group or user names list box.
    1. Click Add.

    2. In the Enter the object name to select box, type the name of the user or group, and then click OK.

    Change or remove permissions from an existing group or user.

    In the Group or user names list box, click the name of the group or user.

  2. To allow or deny a specific permission, in the Permissions for User or Group list box, select the Allow or Deny check box.

Important

Inherited Deny permissions do not prevent access to an object if the object has an explicit Allow permission entry. Explicit permissions take precedence over inherited permissions, including inherited Deny permissions.

  • For more information about access control, see "Access Control" in Help and Support Center for Windows Server 2003.