Setting Permissions on the File Server (IIS 6.0)
Applies To: Windows 7, Windows Server 2008, Windows Server 2008 R2, Windows Vista
The file server permissions must be carefully implemented to provide appropriate access to content. This involves combining the IIS authentication protocol with features like delegation and pass-through authentication, or specifying a user account for IIS to use when authenticating to a remote resource. Of course, your servers should always use NTFS permissions in order to properly enforce security.
File Server Shared Folders
The default share permission for shares is Everyone Read. If you're using IIS as a publishing server (WebDAV, Microsoft FrontPage®, or FTP) and the file server is the back end, you'll need to set permissions for share and NTFS sufficient to allow writing to the resource. Share permissions should be Change or Full Control, and will require the Modify Write permissions for these applications to work correctly. The specific settings required are dependent on how you implement publishing.
To set share permissions
Right-click the folder you want to share.
Select Sharing and Security.
Select the Sharing tab (set ShareName and Comment as appropriate).
Remove the Everyone group (if it exists); this may allow unexpected access.
Add the appropriate User or Group (Authenticated Users is a good choice) that should have access to the share. For delegated access, this will typically be Domain groups or users. It is recommended that you use groups to control access to local resources.
Give this user or group the minimum permissions required to access the content. Read is the least share privilege allowed. If this location is to be used for FrontPage publishing, Change or Full Control permissions may be required.
To set NTFS permissions
Be careful when editing any of the default NTFS ACL settings; you'll need to make sure the administrators can still control the file content.
Right-click the folder or file you want to secure.
Select Sharing and Security.
Select the Security tab.
Click the Add button.
Type in the name of the domain user or group that you want to have access to this resource, and then click OK. The default NTFS settings apply only to local accounts on the server. Domain users must be explicitly allowed appropriate access.
Verify that the Allow checkboxes are set to permit minimum access. (For IIS to retrieve content, it needs only Read access to be checked.)
Clearing Allow List Folder Contents does not disable IIS Directory Browsing in IIS Manager. Clearing Allow Read and Execute does not disable IIS Script or Execute permission in IIS Manager.
In some environments, such as a shared hosting provider, it is common to leave the share permissions reasonably open and rely on NTFS permissions to control security. Remember that share and NTFS permissions combine to provide the least privilege allowed by both. Regardless of how you choose to integrate share and NTFS permissions, be certain they are set up correctly, as these permissions are the foundation for your Web server security.
Increasing File Server Availability
To increase availability, consider clustering your file servers like you would a SQL server. In addition (or alternatively), you can use DFS to provide a non-machine-specific UNC naming convention, and File Replication Service (FRS) to provide redundancy. These technologies have been proven to increase reliability with Windows 2000 Service Pack 3 (SP3) and Windows Server 2003. Additionally, Network Load Balancing can be used to distribute traffic to a set of identical file servers. The following are several Knowledge Base (KB) articles that help explain how to get this scenario to work; they are especially significant when using FrontPage Server Extensions.
Description of the Properties of the Cluster Network Name Resource in Windows Server 2003:
How to Troubleshoot the Cluster Service Account When It Modifies Computer Objects:
Kerberos Support on Windows 2000-based Server Clusters: