New users and groups introduced in IIS 6.0 and their default permissions
Q: We have already used IIS for some years, and now I am moving to IIS 6.0 (new server, not upgrade). I want to control security, but I don't want to over-control it, so that the system cannot process files. I also found new users and groups in Windows Server 2003 installed in IIS 6.0, such as ASPNET users and IIS_WPG groups, I would like to know about the security settings of these users and groups to ensure the security of the new Web site. Please tell me how I should set permissions when you create a new web site. This way I can add other settings as needed. I will list the default permissions of the wwwroot folder for your reference.
Administrators: Fully controlled
IIS_WPG (Group - IWAM_ server name, local service,
Network Service and System): Read and Execute
Interactive: List the folder content
IUSR_ server name: list folder content
Network: List the folder content
Network service: List the folder content
OWS_123456789_ADMIN (Group - Administrators Group): List the folder content
OWS_987654321_ADMIN (Group - Administrator): List the folder content
System: Fully control
Users (group - aspnet, authenticated users):
Reading and executing
You can see that many permissions are set here, and some are still redundant. I need to create a new primary folder for other Web sites, and I want to make sure that the permission settings are fully in line with my needs.
A: The answer to "what permissions should be" is "satisfying the minimum authority". IIS transmits static content and scripts only need NTFS read permissions. Other permissions are based on your business needs.
I can see from the permissions you listed, and IIS 6 and FrontPage 2002 Extensions are installed on your server. It is worth noting that every time you add a service or product, the permissions required on the server (sometimes users and groups) will change. First, let's take a look at Windows Server 2003 without installed FrontPage Server Extensions, press the default to install the permissions settings of the WWWROOT folder. They are:
Administrators - Full Control
System - full control
IIS_WPG - List folder content, read, and execute, read
Users - List the folder content, read, and execute, read
Internet Guest account - refusal to write
IIS 6 IIS 6 default permissions and different from your server, because you have installed FrontPage Server Extensions (FPSE) 2002. You can see that there are many permissions settings. Adding the permissions after adding FPSE:
Network - listing folder content
Network service - listing folder content
Interactive - list folder content
OWS_
Internet Guest Account - List Folder Content
You are right, some of which are overlapping. One of the biggest changes is the permissions of the Internet guest account, deleting "reject writing", adding "List Folder Content." In this way, the permissions of anonymous web users and the NetWork are identical to the Interactive group. Since the IUSR account is either a member of the Network group, or is a member of the Interactive group, so it is theoretically, there is no need to list the permissions of the IUSR account. In addition, the NetWork Service group is a member of IIS_WPG, so it is not necessary to list.
The method of using the FPSE use permission may be more confused. It is mainly used to solve the problem as follows: User first uses the user account to enter the Web site, and then browse other content that can only be anonymously accessible with NTFS permissions. In this case, the user may be denied access, and you may want the user to read these content. Fortunately, in Windows Server 2003, you can make FSPE use the local user group instead of the permissions of the Built NetWork and Interactive groups. To learn more, you can read http://www.microsoft.com/technet/prodtechnol/ SPPT / SharePNT / Proddocs / AdMindoc / Owsj03.asp and http://www.microsoft.com/serviceProviders/WhitePapers/fpse2002. The contents of the ASP.
Finally, the IIS 6 server does not have an ASPNET user by default, only after the ASP.NET is installed. The ASPNET users are not running in the working process isolation mode, unless they are compatible with IIS 5, otherwise the ASPNET user is not used. By default, these applications are running under the Network Services account. To learn more about ASP.NET and IIS 6, see the IIS 6 Resource Guide, whose URL is http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/webapp/iis/iis6perf.mspx.
