IIS 7.5 web site directory permisions

iis-7.5

Solution 1:

I'm doing something similar, but still differently:

  1. Why do you need Modify rights granted to wwwroot folder? Read & Execute is enough and only grant Modify when required (e.g. temp, upload, cache folders -- where content will be created/changed, for example by website app (PHP/ASP.NET etc)).

    I grant "Read & Execute" to D:\domains\somedomain.com (it is enough) and Modify to a specific folders: D:\domains\somedomain.com\var. If I have an app/script that requires Modify right on web-accessible folder (for example, LiveZilla live chat software), then I grant it there, e.g. D:\domains\somedomain.com\wwwroot\livechat\banners.

  2. I do not use IUSR user -- I'm using "Application pool identity" instead:

    • "Application user (pass-trough authentication)" on "Site | Basic Settings | Connect as"
    • and "Application pool identity" on "Site | Authentication | Anonymous Authentication"

  3. I do not have "CREATOR OWNER" at all (it was causing problems when running PHP scripts -- unable to execute them at all + something else (don't remember now), so I have removed it from the whole D:\domains). I pretty much have: SYSTEM, Admins, APP_POOL_SPECIFIC_ID, SPECIFIC_FTP_USER.

The above works fine for me on 6 servers with no issues so far (Am I lucky?).

Related

Missing RAID 6 array + LVM volume after hard reboot
RDP over VPN only
Roaming Profiles, Folder redirection or... both
Manually flush iptables in rescue mode
Primary domain controller has crashed, secondary does not log in
Can OpenVPN be set up so the server doesn't have interface that is part of the VPN?
Failover clustering: tempdb on SAN?
A utility to backup single tables on MSSQL?
Windows 2003 Server IIS SMTP Sending SPAM
Access denied on some files on Win2008R2 DC share
Yum Transaction Check Error on install
Jail users in a directory