Windows Server Web Edition - IIS writing with NO PERMISSIONS SET!

Posted on 2007-10-09
Last Modified: 2010-04-20
I've just got a simple question about Windows Server 2003 Web Edition and IIS.

I haven't set any permissions on ANY files at all, and I notice that my ASP scripts run fine and write to required files WITHOUT ME SETTING PERMISSIONS. Is this something to be worried about or is this normal Web Edition behavior? I notice that all folders on this hard drive have (the data hard drive, not the system hard drive) have inherited the Authenticated Users group in the security tab from the drive's permissions. I've not seen this before. Is this normal? I've used Server 2003 Standard a lot and not seen this, but I'm new to Web Edition.

Again, the IUSR account can apparently write WITHOUT ME SETTING PERMISSIONS. Please explain.

Question by:Pugglewuggle
    LVL 16

    Expert Comment

    There is one thing I couldn't clearly get from your question: is the problem only that you didn't set the permissions yourself or is the problem that IUSR can write on a folder in which he has no permissions ?
    LVL 12

    Author Comment

    The problem is that I didn't set the permissions myself AND that IUSER can write to a folder where no permissions are explicitly defined. The permissions on the folder are as follows:

    Administrators (group) - Full Control
    Authenticated Users (group) - everything except full control
    SYSTEM - Full Control
    Users (group) - Read & Execute, List Folder Contents, Read

    IUSR_machinename is nowhere on the list but it can still write to the folder!

    What's going on??? I'm so confused...
    LVL 16

    Accepted Solution

    IUSER is a member of Authenticated users - so he has write and modify permisions.
    Try to limit the authenticated users (or delete it - it probably should not be listed) and try again.
    LVL 12

    Author Comment

    Hmmm... that's what I figured, but that still doesn't explain how the ROOT of the DRIVE, not just the folder, got Authenticated Users in the NTFS permissions.... The C: drive doesn't have it there, only my data drive.

    Also, what path do you suggest taking to secure the wwwroot? Scripts not requiring Write permissions will still be able to function even if the Authenticated Users group is removed from the folder, right? I can then apply the Authenticated Users group to approriate folders, is this right too?

    Also, how do I change the default permissions for the Authenticated Users group -- I can't find it in the local security policy / computer management snap ins.
    LVL 16

    Assisted Solution

    I believe that you should remove the "Authenticated users" group from NTFS permissions altogether  - it should not be there. It is a strange special group. That's why you cant find it in the computer management MMC. Use "Users" group or groups defined by you or select individual users if you need to change permisions to some folders.

    The IUSR need read permisions on ASPs. You should also check in IIS management that the folders have read and execute script permissions only.
    LVL 12

    Author Comment

    Thanks Blaz!

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    Find Ransomware Secrets With All-Source Analysis

    Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

    Scenerio: You have a server running Server 2003 and have applied a retail pack of Terminal Server Licenses.  You want to change servers or your server has crashed and you need to reapply the Terminal Server Licenses. When you enter the 16-digit lic…
    Periodically we have to update or add SSL certificates for customers. Depending upon your hosting plan you may be responsible for the installation and/or key generation. In the wake of Heartbleed many sites were forced to re-key. We will concen…
    It is a freely distributed piece of software for such tasks as photo retouching, image composition and image authoring. It works on many operating systems, in many languages.
    Polish reports in Access so they look terrific. Take yourself to another level. Equations, Back Color, Alternate Back Color. Write easy VBA Code. Tighten space to use less pages. Launch report from a menu, considering criteria only when it is filled…

    737 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    19 Experts available now in Live!

    Get 1:1 Help Now