Minimum NTFS permission for running IIS

This article describes the minimum NTFS permission required to run IIS normally. If IIS cannot run normally or you want to strictly limit the permission, you can
Refer to this article for the following seven steps.
1. Select the entire hard disk:
System: full control
Administrator: full control
(Allowed to spread inherited permissions from the parent to objects)
2. Program FilesCommon Files:
Everyone: Read and run
List file directories
Read
(Allowed to spread inherited permissions from the parent to objects)

3. Inetpubwwwroot: (can be designed as needed)
IUSR_MACHINE: Read and run
List file directories
Read
(Allowed to spread inherited permissions from the parent to objects)

4. Winntsystem32:
Select all folders other than Inetsrv, Certsrv (if any), and Com, remove the "allow propagation of inherited permissions from the parent" box, and copy.

5. Winnt:
Select all other folders except the following: Assembly (if any), Downloaded Program Files, Help, IIS Temporary Compressed Files, Microsoft. NET (if any), Offline Web Pages, System32, Tasks, Temp, and Web. In the left-side navigation pane of the iov cc console.

6. Winnt:
Everyone: Read and run
List file directories
Read
(Allowed to spread inherited permissions from the parent to objects)

7. WinntTemp: (allow access to the database and display it on the ASP page)
Everyone: Modify
(Allowed to spread inherited permissions from the parent to objects)

9. program filesservu only grants all system admin Permissions

10. All webeasymail everyone permissions; otherwise, it is not good.

11. do not grant the write permission to EVERYONE in the Winntsystem32intesvr directory.

12. cmd.exe net.exe

13. Set display_errors to OFF in php. ini.

In this way, you have an IIS system with strict permissions and normal operation.

Supplement: Prohibit Access by the web anonymousgroup to cmd.exe.

More information

Although each system administrator can set permissions based on their needs, it is best to use the Everyone group instead of the IUSR_MACHINE account. In fact, ASP and ASP. NET cannot run if only IUSR_MACHINE accounts are granted permissions. If you use the Everyone group, ASP can run normally when the Web site has high, medium, or low protection levels for anonymous users and authenticated users.

In addition, if you only need anonymous access, the administrator can create an InternetGuests local group, add IUSR_MACHINE, IWAM_MACHINE, and ASPNET to the group, and replace the Everyone group with the InternetGuests group. However, the Everyone group includes the Users Group (for authenticated Web Users), IUSR_MACHINE account (for anonymous HTM access), IWAM_MACHINE account (for anonymous ASP functions), and ASPNET (for ASP.. NET ).

IIS 5.0 uses two separate accounts to execute Web pages. When using anonymous authentication, IIS uses the IUSR_MACHINE account to view the Web page. However, IWAM_MACHINE is used to start a separate process called Dllhost.exe. All Active Server Pages (ASP) and Component Object Model (COM) all components or other ISAPI extensions (ASP is considered as ISAPI extensions) run in this process. The main purpose of this operation is to maintain stability. If the custom COM component called from the ASP page crashes (that is, access conflicts are caused, causing the process to stop), it does not affect Inetinfo.exe, so the Web Service will continue to run.

The three protection levels in IIS 5.0 are as follows:
Low (IIS Process): this setting is similar to the default setting in IIS 4.0. All Web pages, whether HTM or ASP, are running in the Inetinfo.exe process.
Medium (pool): This is the default setting. Similar to IIS 4.0, this setting starts a separate process called Dllhost.exe, where all ASP and COM components run. This process is started by the IWAM_MACHINE account, which is also the same as IIS 4.0. In addition, this setting is also called a pool because all Web Sites running in IIS share this Dllhost.exe process when executing ASP pages. Note that in Windows 2000, use Dllhost.exe to replace Mtx.exe.
High (independent): This setting starts the dedicated Dllhost.exe process for each Web site or application. If there are five Web sites and each site has a protection level set to "high", there will be a total of six Dllhost.exe processes: Five Dllhost.exe processes and one additional Dllhost.exe process, the additional process is started by COM + in the system application.