Tighten Default IIS Permissions

Owned by
Mont Rothstein
Last updated: Jun 14, 2024
1 min read

By default the Users group is included on the IIS inetpub directory with Read & execute permissions.

These default permissions can be tightened.

For this change any of the groups: USERS, AUTHENTICATED USERS, or IUSR will work, however IUSR is considered the least privileged and therefore the most secure.

The least privileges needed are:

Basic - Read

or

Advanced - List folder / read data; Read extended attributes; Read permissions

Individual users or groups can not be used in place of one of these special purpose groups because IIS recognizes these groups and treats them differently.

Details

Some files, such as .ASMX files, require the List folder / read data privilege. Other files, such as font files, require that privilege as well as Read extended attributes and Read permissions. Overall IIS handles requests for different file types in different ways and some file types one of these three groups and the associated permissions.



 

© 2023 Foray, LLC - All Rights Reserved