IIS log folder permissions not being inherited
IIS creates the W3SVCx folders after the first request to a newly created site, it also sets the NTFS permissions on it regardless of the permissions of the parent folder and its inheritence settings. The permissions it sets are:
NT AUTHORITY\SYSTEM:(OI)(CI)(F)
BUILTIN\Administrators:(OI)(CI)(F)
I don't know of any way to tell IIS not to do this. You need to remember that after you set up a new site, hit it once and then set the permissions on the log folder.
If you set up many sites, use a script instead. I use PowerShell:
New-WebSite -Name "peter.superuser.com" -port 80 -id 106 -PhysicalPath "C:\inetpub\peter.superuser.com" -HostHeader peter.superuser.com
(New-Object System.Net.WebClient).DownloadString("http://peter.superuser.com")
start-sleep -seconds 1
& icacls.exe "C:\inetpub\logs\LogFiles\W3SVC106" /Q /grant "BUILTIN\Users:`(OI`)`(CI`)`(RX`)"
I first create the site, then hit the home page, wait a second and then set the permissions on the log folder.
If you don't know the Id of the site in advanced, use
$newId = (get-childitem IIS:\Sites | where{$_.Name -eq "peter.superuser.com"}).Id
& icacls.exe "C:\inetpub\logs\LogFiles\W3SVC$newId" /Q /grant "BUILTIN\Users:`(OI`)`(CI`)`(RX`)"
to get the Id after you created the site.
To use this you need to enable scripting for IIS, depending on your OS.
I use the following workaround on any new IIS 7/8 installation:
Set desired permissions on folder
C:\inetpub\logs\LogFiles-
Modify existing log folders to inherit permissions
icacls C:\inetpub\logs\LogFiles\W3SVC* /inheritance:e -
Pre-populate the first 99 log folders
W3SVC1...W3SVC99so that they inherit permissions before IIS even tries to create one of them. IIS does not modify permissions when a log folder already exists.REM cmd style for /l %%G in (1,1,99) do md C:\inetpub\logs\LogFiles\W3SVC%%G # PowerShell style 1..3 | % { md C:\inetpub\logs\LogFiles\W3SVC$_ }
It's not pretty, but it gets the job done.