Windows Server Web Edition - IIS writing with NO PERMISSIONS SET!

I've just got a simple question about Windows Server 2003 Web Edition and IIS.

I haven't set any permissions on ANY files at all, and I notice that my ASP scripts run fine and write to required files WITHOUT ME SETTING PERMISSIONS. Is this something to be worried about or is this normal Web Edition behavior? I notice that all folders on this hard drive have (the data hard drive, not the system hard drive) have inherited the Authenticated Users group in the security tab from the drive's permissions. I've not seen this before. Is this normal? I've used Server 2003 Standard a lot and not seen this, but I'm new to Web Edition.

Again, the IUSR account can apparently write WITHOUT ME SETTING PERMISSIONS. Please explain.

LVL 12
Who is Participating?
IUSER is a member of Authenticated users - so he has write and modify permisions.
Try to limit the authenticated users (or delete it - it probably should not be listed) and try again.
There is one thing I couldn't clearly get from your question: is the problem only that you didn't set the permissions yourself or is the problem that IUSR can write on a folder in which he has no permissions ?
PugglewuggleAuthor Commented:
The problem is that I didn't set the permissions myself AND that IUSER can write to a folder where no permissions are explicitly defined. The permissions on the folder are as follows:

Administrators (group) - Full Control
Authenticated Users (group) - everything except full control
SYSTEM - Full Control
Users (group) - Read & Execute, List Folder Contents, Read

IUSR_machinename is nowhere on the list but it can still write to the folder!

What's going on??? I'm so confused...
Cloud Class® Course: Certified Penetration Testing

This CPTE Certified Penetration Testing Engineer course covers everything you need to know about becoming a Certified Penetration Testing Engineer. Career Path: Professional roles include Ethical Hackers, Security Consultants, System Administrators, and Chief Security Officers.

PugglewuggleAuthor Commented:
Hmmm... that's what I figured, but that still doesn't explain how the ROOT of the DRIVE, not just the folder, got Authenticated Users in the NTFS permissions.... The C: drive doesn't have it there, only my data drive.

Also, what path do you suggest taking to secure the wwwroot? Scripts not requiring Write permissions will still be able to function even if the Authenticated Users group is removed from the folder, right? I can then apply the Authenticated Users group to approriate folders, is this right too?

Also, how do I change the default permissions for the Authenticated Users group -- I can't find it in the local security policy / computer management snap ins.
I believe that you should remove the "Authenticated users" group from NTFS permissions altogether  - it should not be there. It is a strange special group. That's why you cant find it in the computer management MMC. Use "Users" group or groups defined by you or select individual users if you need to change permisions to some folders.

The IUSR need read permisions on ASPs. You should also check in IIS management that the folders have read and execute script permissions only.
PugglewuggleAuthor Commented:
Thanks Blaz!
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.