troubleshooting Question
Setting IIS8 security - removing the "Users" group from c:\ and system folders.
I have an win2012/IIS 8 webserver which I am trying to secure. I want to isolate each site/user to their own folder as best as possible.
However "c:\" and all system folders have by default read/execute access for the "Users" group.
I have read that recent editions of IIS are secure out of the box but allowing IIS users to read and execute system files doesn't seem secure to me.
Is it normal to leave the server like this?
Can anyone suggest what the best practice is from this point. Should the "Users" group be removed from "c:\" or perhaps a DENY rule added for IIS users.
These seem like drastic changes and I'm not sure if they would effect the running of IIS or SQL Server 2012. Only the administrator logs into the desktop so there are no other physical users.
I have moved the websites to "c:\sites\mysiteA\", "c:\sites\mysiteB\" and so on.
I have setup separate user accounts for each website and set minimum permissions for the folder (including removing the "Users" group.)
removed non essential users from other data folders like the MSSQL database folders.
However "c:\" and all system folders have by default read/execute access for the "Users" group.
I have read that recent editions of IIS are secure out of the box but allowing IIS users to read and execute system files doesn't seem secure to me.
Is it normal to leave the server like this?
Can anyone suggest what the best practice is from this point. Should the "Users" group be removed from "c:\" or perhaps a DENY rule added for IIS users.
These seem like drastic changes and I'm not sure if they would effect the running of IIS or SQL Server 2012. Only the administrator logs into the desktop so there are no other physical users.
Learn from the best
Network and collaborate with thousands of CTOs, CISOs, and IT Pros rooting for you and your success.
Andrew Hancock - VMware vExpert
See if this solution works for you by signing up for a 7 day free trial.
Unlock 1 Answer and 2 Comments.
Try for 7 days”The time we save is the biggest benefit of E-E to our team. What could take multiple guys 2 hours or more each to find is accessed in around 15 minutes on Experts Exchange.
Our community of experts have been thoroughly vetted for their expertise and industry experience.
The Distinguished Expert awards are presented to the top veteran and rookie experts to earn the most points in the top 50 topics.