Join Log in
Score:0
Shlomi avatar Server

Trying to understand IIS permissions

it flag
Shlomi

I'm trying to understand how IIS permissions works because I had a weird scenario today..

So one of the developers installed IIS 10 on the server and created a site under C:\WebSites\Site1

Now, that particular site is also writing some txt log files to C:\Site1-Logs.

The Application Pool of Site1 is running as "ApplicationPoolIdentity".

Theoretically, The user running the site (IIS AppPool\Site1) should have the permission to write/create txt files under C:\Site1-Logs directory with out manually setting a permission for that?

Because I couldn't find any where under Security tab anything related to IIS_USRS group or "IIS AppPool\Site1" user.

When I tried to move the logs writing to another partition (E:) I had to give a writing permission to "IIS AppPool\Site1" and I can actually see the permission under Security tab.

So maybe I'm missing something? By default the IIS is installed as a system service and he already granted with permissions to write to C: ?

There is a best practice for that in terms of security? is it ok to run web applications under C: ?

Thanks and sorry for the bad explanation :P

icacls C:\Site1-Logs
C:\Site1-Logs        NT AUTHORITY\SYSTEM:(I)(OI)(CI)(F)
                         BUILTIN\Administrators:(I)(OI)(CI)(F)
                         BUILTIN\Users:(I)(OI)(CI)(RX)
                         BUILTIN\Users:(I)(CI)(AD)
                         BUILTIN\Users:(I)(CI)(WD)
                         CREATOR OWNER:(I)(OI)(CI)(IO)(F)
55
0 + 0
iis
cn flag
Peter Hahndorf
Can you add the NTFS permissions for C:\site1-logs like `icacls C:\site1-logs` to your question
1
Reply
Shlomi avatar
it flag
Shlomi
Yes but what I don't understand is how my Application Pool have already access to write to folders under C:\ without giving specific permissions..
0
Reply
cn flag
Peter Hahndorf
And I am trying to explain to you why that is the case, but for that you should list the permissions here.
0
Reply
Shlomi avatar
it flag
Shlomi
lol sorry my bad :) Added the permissions to my post.
0
Reply
Score:1
avatar Server
cn flag
Peter Hahndorf

The group BUILTIN\Users has Write Access to your C:\Site1-Logs directory.

The user IIS AppPool\Site1 is automatically a member of the Users group because that is a special group under Windows.

This is why your web-site has write access.

You can't remove IIS AppPool\Site1 from users, but you could remove the permissions of the users groups from the directory.

0 + 0
Shlomi avatar
it flag
Shlomi
Thank you so much, It makes sense now how the user had write permission already. In terms of security, is it ok to keep BUILTIN\Users with write access to C: ? or should I remove that and give each individual user specific permissions ?
0
Reply
cn flag
Peter Hahndorf
That depends on your environment. If you want to make sure one site can never read files belonging to another site, you should remove `users` permissions and use the individual site accounts for NTFS permissions.
1
Reply
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.