Trying to understand IIS permissions

Question

I'm trying to understand how IIS permissions works because I had a weird scenario today..

So one of the developers installed IIS 10 on the server and created a site under C:\WebSites\Site1

Now, that particular site is also writing some txt log files to C:\Site1-Logs.

The Application Pool of Site1 is running as "ApplicationPoolIdentity".

Theoretically, The user running the site (IIS AppPool\Site1) should have the permission to write/create txt files under C:\Site1-Logs directory with out manually setting a permission for that?

Because I couldn't find any where under Security tab anything related to IIS_USRS group or "IIS AppPool\Site1" user.

When I tried to move the logs writing to another partition (E:) I had to give a writing permission to "IIS AppPool\Site1" and I can actually see the permission under Security tab.

So maybe I'm missing something? By default the IIS is installed as a system service and he already granted with permissions to write to C: ?

There is a best practice for that in terms of security? is it ok to run web applications under C: ?

Thanks and sorry for the bad explanation :P

icacls C:\Site1-Logs
C:\Site1-Logs        NT AUTHORITY\SYSTEM:(I)(OI)(CI)(F)
                         BUILTIN\Administrators:(I)(OI)(CI)(F)
                         BUILTIN\Users:(I)(OI)(CI)(RX)
                         BUILTIN\Users:(I)(CI)(AD)
                         BUILTIN\Users:(I)(CI)(WD)
                         CREATOR OWNER:(I)(OI)(CI)(IO)(F)

Can you add the NTFS permissions for C:\site1-logs like `icacls C:\site1-logs` to your question — Peter Hahndorf, Jan 05 '22 at 17:49
Yes but what I don't understand is how my Application Pool have already access to write to folders under C:\ without giving specific permissions.. — Shlomi, Jan 06 '22 at 09:21
And I am trying to explain to you why that is the case, but for that you should list the permissions here. — Peter Hahndorf, Jan 06 '22 at 15:15

score 1 · Accepted Answer · answered Jan 06 '22 at 17:03

1

The group BUILTIN\Users has Write Access to your C:\Site1-Logs directory.

The user IIS AppPool\Site1 is automatically a member of the Users group because that is a special group under Windows.

This is why your web-site has write access.

You can't remove IIS AppPool\Site1 from users, but you could remove the permissions of the users groups from the directory.

answered Jan 06 '22 at 17:03

Peter Hahndorf

14,058
3
41
58

Thank you so much, It makes sense now how the user had write permission already. In terms of security, is it ok to keep BUILTIN\Users with write access to C: ? or should I remove that and give each individual user specific permissions ? – Shlomi Jan 07 '22 at 12:53
1

That depends on your environment. If you want to make sure one site can never read files belonging to another site, you should remove `users` permissions and use the individual site accounts for NTFS permissions. – Peter Hahndorf Jan 07 '22 at 17:07

Trying to understand IIS permissions

1 Answers1