Link to home
Start Free TrialLog in
Avatar of meagord
meagord

asked on

Setting IIS8 security - removing the "Users" group from c:\ and system folders.

I have an win2012/IIS 8 webserver which I am trying to secure. I want to isolate each site/user to their own folder as best as possible.

I have moved the websites to "c:\sites\mysiteA\", "c:\sites\mysiteB\" and so on.

I have setup separate user accounts for each website and set minimum permissions for the folder (including removing the "Users" group.)

removed non essential users from other data folders like the MSSQL database folders.

However "c:\" and all system folders have by default read/execute access for the "Users" group.

I have read that recent editions of IIS are secure out of the box but allowing IIS users to read and execute system files doesn't seem secure to me.

Is it normal to leave the server like this?

Can anyone suggest what the best practice is from this point. Should the "Users" group be removed from "c:\" or perhaps a DENY rule added for IIS users.

These seem like drastic changes and I'm not sure if they would effect the running of IIS or SQL Server 2012. Only the administrator logs into the desktop so there are no other physical users.
ASKER CERTIFIED SOLUTION
Avatar of Brad Howe
Brad Howe
Flag of Canada image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of meagord
meagord

ASKER

Thanks for the reply.

1. Remove the local accounts from the local USERS Group.

Done

2. Remove Inheritence from the c:\sites\x directories.

Done

3. Remove USERS group permissions

From where?

4. Add "local user 1/2/3" permissions as Read & execute List folder contents Read

Again where?


I tried removing the separate web user accounts from the Users group but somehow they still seems to have the same rights as the "Users" group.  I'm wondering if IIS 8 automatically gives them these rights when it joins them to the iis_iusrs group automatically.