Securing a Web Site Using NTFS Special Permissions

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1

With NTFS permissions, you can assign special permissions to groups or users. Special permissions are permissions on a more detailed level. For better management, you should assign broad-level permissions to users or groups, where it is applicable. For descriptions of permissions, see "Permissions for Files or Folders" in Help and Support Center for Windows Server 2003.


You must be a member of the Administrators group on the local computer to perform the following procedure or procedures. As a security best practice, log on to your computer by using an account that is not in the Administrators group, and then use the runas command to run IIS Manager as an administrator. At a command prompt, type runas /User:Administrative_AccountName "mmc %systemroot%\system32\inetsrv\iis.msc".


To secure a Web site by using NTFS special permissions

  1. In IIS Manager, expand the local computer, right-click a Web site, directory, or virtual directory, and then click Permissions.

  2. Click the Advanced tab, and then do one of the following:

    To Do this

    Set special permissions for an additional group or user

    Click Add, and in the Enter the object name to select box, type the name of the user or group, and then click OK.

    View or change special permissions for an existing group or user

    Click the name of the group or user and then click Edit.

    Remove an existing group or user and its special permissions

    Click the name of the group or user and then click Remove. If the Remove button is unavailable, clear the Allow inheritable permissions from the parent to propagate to this object and all child objects. Include these with entries exclusively defined here. check box, and then click Remove. Click OK and skip steps 3-6 below.

  3. In the Permissions box, select or clear the appropriate Allow or Deny check boxes.

  4. In the Apply onto list box, click the folders or subfolders you want these permissions to be applied to.

  5. To prevent the subfolders and files from inheriting these permissions, clear the Apply these permissions to objects and/or containers within this container only check box.

  6. Click OK three times.


You should assign permissions to the highest-level folders possible and then apply inheritance to propagate the settings to lower-level subfolders and files. For more information about inheritance, see "How Inheritance Affects File and Folder Permissions" in Help and Support Center for Windows Server 2003.

  • For more information about access control, see "Access Control" in Help and Support Center for Windows Server 2003.