[This is preliminary documentation and subject to change]
Setting Web Server Permissions
It is important to understand the distinction between Web and
NTFS permissions. Unlike NTFS, Web permissions apply to all users
accessing your Web sites. NTFS permissions apply only to a specific
user or group of users with a valid Windows account. NTFS controls
access to physical directories on your server, whereas Web
permissions control access to virtual directories on your Web
site.
By default, Web access permissions use the Windows account
IUSR_computername. When users access your site, using
anonymous authentication, they use this account. By default,
IUSR_computername is given NTFS permissions by IIS for the
actual folders that comprise the Web site. You can, however, change
these permissions for any folder or file in your site. For example,
you can use Web permissions to control whether users visiting your
Web site are allowed to view a particular page, upload information,
or run scripts on the site. For more information, see About Access Control.
Important
The following rules are important to
remember when working with Web and NTFS permissions.
- If Web permissions differ from NTFS permissions for a directory
or file, the more restrictive settings are used.
- IIS will prompt you for permission to reset the properties of
individual directories and files when you attempt to set security
properties for your Web site, or a virtual directory. If you choose
to reset these properties, your previous security settings will be
replaced by the new settings.
- Distributed Authoring and Versioning (WebDAV) is an extension
to the HTTP 1.1 standard for exposing any storage media, such as a
file system, over an HTTP connection. With the IIS implementation
of WebDAV, you can allow remote authors to create, move, search, or
delete files and directories on your server. Because WebDAV is an
implementation of the HTTP 1.1 proposed draft, it is not
available for non-HTTP services, such as FTP sites. For more
information, see WebDAV Publishing.
To set permissions for Web content (including WebDAV)
- In the IIS snap-in, select a Web
site, virtual directory, or file, and open its property
sheets.
- On the Home Directory, Virtual Directory, or
File property sheet, select or clear any of the following check
boxes (if available):
- Read (selected by default) Users can view directory or
file content and properties.
- Write Users can change directory or file content and
properties.
- Script Source Access Users can access source files. If
Read is selected, then source can be read, if Write is selected,
then source can be written to. Script Source Access includes the
source code for scripts, such as the scripts in an ASP application.
This option is not available if neither Read nor Write is
selected.
- Directory browsing Users can view file lists and
collections.
- Log visits A log entry is created for each visit to the
Web site.
- Index this resource Allows Indexing Service to index
this resource. This allows searches to be performed on the
resource.
- Under Execute Permissions select the appropriate level
of script execution:
- None Don't run scripts, such as ASP applications, or
executables on the server.
- Scripts only Run only scripts, such as ASP applications,
on the server.
- Scripts and Executables Run both scripts, such as ASP
applications, and executables on the server.
- Click OK.
- Disabling permissions restricts all users. For example,
disabling the Read permission restricts all users from viewing a
file, regardless of the NTFS permissions applied to those users'
accounts. However, enabling the Read permission can allow all users
to view that file, unless NTFS permissions that restrict access
have also been applied.
- If both IIS and NTFS permissions are set, the permissions that
explicitly deny access take precedence over permissions that grant
access.
Important
When you select Script Source
Access, users may be able to view sensitive information, such
as a user name and password, from the scripts in an ASP
application. They may also be able to change source code that runs
on your server, and seriously affect your server's security and
performance. Access to these types of information and functions are
best utilized through individual Windows accounts and higher-level
authentication, such as Digest or integrated Windows
authentication.
When you select Script Source Access, users may be able
to view sensitive information, such as a user name and password,
from the scripts in an ASP application. They may also be able to
change source code that runs on your server, and seriously affect
your server's security and performance. Access to these types of
information and functions are best utilized through individual
Windows accounts and higher-level authentication, such as Digest or
integrated Windows authentication.
Related Topics
- For more information about the property sheets described above,
clickHelp on the appropriate property sheet in the IIS
snap-in.
- For more information about setting properties, see Configuring the Metabase.
phrase 1, phrase 2, phrase 3
© 1997-2001 Microsoft Corporation. All rights reserved.