Grant web server permissions to web content

SUMMARY This step-by-step article describes how to use Internet Information Services (IIS) 5.0 to grant Web server permissions to Web content.

You can grant Web server permissions to specific websites, folders, and files on the server. Unlike NTFS file system permissions, which apply only to specific users or groups of users with valid Windows accounts, Web server permissions apply to all users who access a website, regardless of their specific access permissions.

By default, web access uses the IUSR_computername account. When you install IIS, the IUSER_computername account is created and used as the default anonymous user account. When you enable anonymous access, IIS uses the IUSER_computername account to log in all users who visit your website.

The IUSR_computername account is granted NTFS permissions on all folders that make up the server website. However, you can change the permissions of any folder or file within the site. For example, you can use web server permissions to control whether site visitors are allowed to view a specific page, load information, or run scripts.

When you configure both Web server permissions and Windows NTFS permissions, you can control how users access Web content at multiple levels, from entire Web sites to individual files.

How to Grant Web Server Permissions to Web Content 1. Start Internet Services Manager. Or start the IIS snap-in.

2. Click to expand * server name, where server name is the name of the server.

3. Right-click the website, virtual directory, folder, or file to which you want to grant access to the user, and then click Properties.

4. Click one of the following tabs, depending on your situation:
Home Directory Virtual Directory Directory File 5. Click to select or clear any of the following check boxes that correspond to the level of Web permissions that you want to grant, if present: Script Resource Access: Granting this permission will allow the user to access source code. Script Resource Access contains the source code for scripts, such as those in Active Server Pages (ASP) programs. Note that this permission is only available if Read or Write permission is granted.

Note: If you click Script Resource Access, users will be able to view sensitive information, such as usernames and passwords, from the ASP program's scripts. They will also be able to change the source code running on your server, which can severely impact the server's security and performance. It is recommended that you use a single Windows account and a higher level of authentication (such as Integrated Windows Authentication) to handle access to this information and these features.

Read: Granting this permission will allow the user to view or download the file or folder and its associated properties. Read permission is selected by default.

Write: Granting this permission will allow the user to upload a file and its associated properties to an enabled folder on the server, or allow the user to change the content or properties of a file that has write permission enabled.

"Directory Browsing": Granting this permission will allow the user to view a hypertext listing of files and subfolders in a virtual directory. Note that the virtual directory does not appear in the folder list; the user must know the virtual directory's alias.

NOTE: The Web server will display an "Access Forbidden" error message in the user's Web browser when the user attempts to access a file or folder on the server if both of the following conditions are true: ? Directory Browsing is disabled.

- and -

The user did not specify a file name in the address box, such as Filename.htm.

"Log Access": Grant this permission to log access to this folder in a log file. Log entries are only logged if logging is enabled for the site.

Index Resources: Granting this permission will allow the Microsoft Indexing Service to include this folder in the full-text index of the site. After granting this permission, the user will be able to perform queries on this resource.

6. In the Execute permissions box, select a setting to determine how you want the script to run on this website. The following settings are available: ? None: Click this setting if you do not want users to run scripts or executable programs on the server. When using this setting, users can only access static files, such as Hypertext Markup Language (HTML) files and image files.

Script Only: Click this setting to run scripts such as ASP programs on the server.

Scripts and executables: Click this setting to run both scripts and executable programs, such as ASP programs, on the server.

7. Click OK, and then exit Internet Services Manager or exit the IIS snap-in.

Note: • When you try to change the security attributes of a website or virtual directory, IIS checks for existing settings on the subnodes (virtual directories and files) contained in the website or virtual directory. If the permissions set at lower levels are different, IIS displays an inheritance override dialog box. To specify which child nodes should inherit the permissions you set at a higher level, click one or more nodes in the child node list, and then click OK. Child nodes will inherit the new permission settings.

If the Web permissions and NTFS permissions of a folder or file are different, the more restrictive of the two settings will be used. For example, if a specific user group is granted Write permission to a folder in IIS, and the group is granted Read permission to the folder in NTFS, those users will not be able to write to the folder. Import the file because Read permissions are more restrictive.

If you disable Web server permissions on a resource (such as Read permissions), all users cannot view the resource, regardless of the NTFS permissions settings applied to those user accounts. If you enable Web server permissions on a resource (such as Read permissions), all users can view the resource unless you also apply NTFS permissions that restrict access to the resource.