Access Control Lists
Applies To: Windows Server 2003, Windows Server 2003 with SP1
NTFS permissions are set and managed by using access control lists (ACLs). An ACL is a list that indicates which users or groups are able to access or modify a particular file. An ACL is made up of access control entries (ACEs).
ACL Tools
Many tools, such as the cacls command and the Xcacls.exe command-line tool, are available to help you set and manage ACLs.
Cacls
Cacls is a Windows Server 2003 command that allows you to display or modify discretionary access control lists (DACLs). For more information about the cacls command, see Cacls in Help and Support Center for Windows Server 2003.
Xcacls.exe
Xcacls.exe is a Windows Server 2003 command-line tool that you can use to set all file-system security options that are accessible in Windows Explorer from the command line. Xcacls.exe does this by displaying and modifying the ACLs of files. For more information, see Xcacls.exe.
Default ACLs and Privileges for the IIS_WPG Group
When you install IIS 6.0, some ACLs and privileges are set automatically for the IIS_WPG group. Table 5.8, Table 5.9, and Table 5.10 list the default ACLs that are set during the installation process.
Table 5.8 Default File System ACLs for the IIS_WPG Group
| Location | Setting | Description |
|---|---|---|
%windir%\Help\iishelp\common |
Read, Execute |
Access to default error page |
%windir%\IIS Temporary Compressed Files |
Full |
Access to the compression directory |
%windir%\system32\MicrosoftPassport |
Read, Execute, Write, Delete |
Passport configuration |
%windir%\inetsrv\ASP Compiled Templates |
Full |
Access to ASP compiled templates that are saved to disk |
%windir%\inetpub\wwwroot |
Read, Execute |
Access to the content root directory |
Table 5.9 Default Metabase ACLs for the IIS_WPG Group
| Location | Setting | Description |
|---|---|---|
/ (IIS_ROOT key) |
Read, Unsecure Read, Enumerate Keys |
Give worker process access to read metabase data |
/LM/W3SVC/AppPools |
Unsecure Read |
Give worker process access to read unsecured metabase properties |
/LM/W3SVC/Filters |
Read, Unsecure Read, Enumerate Keys, Write |
Allow IIS to update filter state |
/LM/W3SVC/X/Filters |
Read, Unsecure Read, Enumerate Keys, Write |
Allow IIS to update filter state (for new sites, where X is the Web site number) |
Table 5.10 Default Registry Key ACLs for the IIS_WPG Group
| Location | Setting | Description |
|---|---|---|
HKLM\System\CurrentControlSet\Services\W3SVC |
Read |
Read W3SVC configured registry keys |
HKLM\System\CurrentControlSet\Services\InetInfo |
Read |
Read InetInfo configured registry keys |
HKLM\System\CurrentControlSet\Services\HTTP |
Read |
Read HTTP configured registry keys |
HKLM\System\CurrentControlSet\Services\ASP |
Read |
Read ASP configured registry keys |
All worker process identities must be members of the IIS_WPG group. If the worker process identity account is not in the IIS_WPG group and does not have the appropriate privileges and permissions, the worker process will not start. In addition, if the worker process identity accounts are not members of the IIS_WPG group, they might not be able to launch a worker process after a modification to the operating system, such as upgrading to the next version or installing a service pack.
In addition, IIS sets restrictive ACLs on log files. For more information about log file permissions, see Analyzing Log Files.
Metabase ACLs
IIS installs the metabase files with strict ACLs set to prevent anyone but administrators from viewing your configuration data. You can use the MetaACL.vbs command-line tool to change the ACLs and grant granular permissions on a site-by-site or application-by-application basis. For more information about MetaACL.vbs, see Knowledge Base article 267904, Metaacl.exe modifying metabase permissions for IIS Admin Objects. For more information about metabase security, see Working with the Metabase.
Important
Before you edit the metabase, verify that you have a backup copy that you can restore if a problem occurs. For information about how to back up the metabase, see Working with the Metabase.