0

I have a Windows Server that is a member server of an AD domain.

On it there is an IIS web site with Physical Path set to D:\www.

The site's Application Pool is set to a .NET CLR Version v4.0.30319 one with Integrated pipeline mode and running under the identity LocalService.

Under the web site's IIS Authentication, I have Windows Authentication set to Enabled.

I want to allow all authenticated users, either domain or with local server credentials, to access the web site. What are the security settings I must have for the D:\www folder?

Right now, SYSTEM and Users & IIS_IUSRS has Read, Read & Execute and List folder contents permissions. And all authenticated users appear to be able to access the web site without problems.

But when I remove IIS_IUSRS from the ACL, no user can access because web.config couldn't be read. Why is this the case? Where in the web site configuration is IIS_IUSRS specified? And anyway, my IIS_IUSRS currently has no members.

Old Geezer
  • 397
  • 8
  • 25
  • `when I remove IIS_IUSRS from the ACL, no user can access because web.config couldn't be read. Why is this the case?` It's the identity of the web site application pool. – Greg Askew Jan 31 '19 at 12:23
  • But that is `LocalService`. – Old Geezer Jan 31 '19 at 13:34
  • `D:\www` should follow `\inetpub\wwwroot` https://support.microsoft.com/en-ca/help/981949/description-of-default-permissions-and-user-rights-for-iis-7-0-and-lat What happened after removing `IIS_IUSRS` is by design and you have to add it back. BTW, `LocalService` should not be used as pool identity as well (unless you have strong justification). – Lex Li Jan 31 '19 at 14:50
  • `LocalService` was a requirement by security policy of the customer who owned the server. I am puzzled because the `IIS_IUSRS` group has no members. – Old Geezer Jan 31 '19 at 15:16

0 Answers0