IIS 7+ Folder Permissions Today's WWW

I have to admit this is one of the many (few) things I can not remember off the top of my head. 

Most of all, each time I need to setup a web application I'm always looking for my permissions notes. 

Now, that search is easier. 

Permission Notes

My Permission notes

Permissions for IIS folders on Windows 2008 servers. 

Why do you get a Write Failure when it's all good?

Why never to use USER as your WRITE when you have only apps doing that job?

Let's make sure you give permissions only to specific folders and not to everything!

Remember, the internet has better permission people than you so don't offer more than you need. 

Command Line Stuff:

icacls A:\inetpub\site name /grant "IIS APPPOOL\DefaultAppPool":(OI)(CI)(RX)
icacls A:\inetpub\site_name /grant "IIS APPPOOL\CustomAppPool":(OI)(CI)(RX) 

What your Security Tab Folders Security Security Permissions should look like. 

I have a couple of different systems that I manage so my list below might show Administrator twice. That's because one comes from my domain controllers or active directory and the other is the local. 

Administrator : DOMAIN and LOCAL MACHINE

SYSTEM
NETWORK SERVICE
Administrator (DOMAIN\Administrator)
YourName (LOCAL\YOU)
Administrator (DOMAIN\Administrator)
Administrators (LOCAL\Administrators)
Users (LOCAL\Users)
IIS_IUSRS (LOCAL\IIS_IUSRS)
IIS APPPOOL\DefaultAppPool
IIS APPPOOL\CustomAppPool_IF-NEEDED

Now, the Users group might not be assigned to your app_data folder or it might only have read script exe permissions and never write. Same goes for your IIS_IUSERS which is hidden if you were wondering why you couldn't see it the first time but it appeared when you typed it. 

If you are serious about your permissions you'll cut back on everything that's not needed. 

I noticed while installing a product tonight that the documentation stated to allow Write on the main folder for the User group. Nice if you're on a test machine but, I don't recommend that ever. 

 

IIS 7 Folder Permissions and that stuff I forget every time, well not every time. I do remember to always look here to make sure I have all the permission items listed.