How to grant IIS server Permissions

We know that when using the IIS server, you can use it to grant Web Server permissions to specific websites, folders, and files on the server. Unlike NTFS file system permissions (only applicable to specific users or user groups with valid Windows accounts), Web server permissions apply to all users accessing the website, no matter what specific access permissions these users have.

By default, the IUSR_computername account is used for Web access permissions. When the IIS server is installed, the IUSER_computername account is created and used as the default anonymous user account. When anonymous access is enabled, the IIS server uses the IUSER_computername account to log on to all users accessing your website.

The IUSR_computername account is granted the NTFS permission on all folders that constitute the server website. However, you can change the permissions of any folder or file on the website. For example, you can use the Web server permissions to control whether website visitors can view a specific webpage, load information, or run scripts.

When you configure both Web server permissions and Windows NTFS permissions, you can control the way users access Web content at multiple levels (from the entire website to a single file.

How to grant Web Server permissions to Web Content

1. Start Internet Service Manager. Or start the IIS server management unit.

2. Click to expand "* server name", where server name is the name of the server.

3. Right-click the website, virtual directory, folder, or file that you want to grant access to, and then click Properties.

4. Click one of the following tabs based on your situation:

Main directory, virtual directory, directory, file

5. Click to select or clear any of the following check boxes (if any) for the Web permission level to be granted: script Resource Access: granting this permission will allow users to access source code. "Script Resource Access" contains the source code of the script, such as the script in the Active Server Pages (ASP) program. Note that this permission is only available when the "read" or "write" permission is granted.

Note: If you click script resource access, you can view sensitive information, such as the user name and password, from the ASP script. They will also be able to change the source code running on your server, which seriously affects server security and performance. We recommend that you use a Single Windows Account and higher level of authentication (such as integrated Windows Authentication) to process access to such information and these features.

Read: this permission allows users to view or download files or folders and their related properties. The read permission is selected by default.

Write: this permission allows users to upload files and their related attributes to the enabled folders on the server, or allow users to change the content or attributes of files with write permissions enabled.

"Directory browsing": this permission allows users to view hypertext lists of files and subfolders in a virtual directory. Note that the virtual directory is not displayed in the folder list. You must know the virtual directory alias.

Note: if both of the following conditions are met, when you attempt to access files or folders on the IIS server, the Web server displays an "Access Forbidden" error message in your Web browser: directory browsing is disabled.

You have not specified a file name in the address box, such as Filename.htm.

"Record access": grant this permission to record access to this folder in log files. Log entries are recorded only when logging is enabled for the website.

"Index resource": grant this permission to allow Microsoft Indexing Service to include this folder in the full-text index of the website. After this permission is granted, you can query this resource.

6. In the execution permission box, select a setting to determine how the script will run on this website. You can use the following settings :? None: click this setting if you do not want the user to run a script or executable program on the server. When this setting is used, users can only access static files, such as hypertext markup language (HTML) files and image files.

"Script only": click this setting to run scripts such as ASP programs on the server.

"Script and executable files": click this setting to run scripts and executable programs such as ASP programs on the server at the same time.

7. Click OK to exit Internet Service Manager or exit the IIS server management unit.

Note: When you try to change the security attributes of a website or virtual directory, the IIS server checks the existing settings on the subnodes (virtual directories and files) contained in the website or virtual directory. If you set different permissions at a lower level, the IIS server displays an inheritance overwrite dialog box. To specify which subnodes should inherit the permissions you set at a higher level, click one or more nodes in the subnode list and click OK. The subnode inherits the new permission settings.

If the Web permission of a folder or file is different from that of NTFS, strict restrictions are used in these two settings. For example, if you grant the write permission to a folder to a specific user group on the IIS server, and grant the group the read permission to the folder in NTFS, these users cannot write files to the folder because the "read" permission is more restrictive.

If you disable the Web server permission for a resource (such as the "read" permission), all users cannot view the resource, regardless of the NTFS permission settings of these user accounts. If you enable the Web server permission (for example, "read" permission) for a resource, all users can view the resource, unless the NTFS permission to access the resource is restricted.

This section describes how to grant Web Server permissions to specific websites, folders, and files on the IIS server.