Skip to content

Instantly share code, notes, and snippets.

@lankymart

lankymart/IIS Website Recommendations.md

Created February 22, 2017 17:29
Show Gist options
  • Star 1 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save lankymart/4b8c9f650ee524d7ab4c3fca76b75611 to your computer and use it in GitHub Desktop.
Save lankymart/4b8c9f650ee524d7ab4c3fca76b75611 to your computer and use it in GitHub Desktop.
Download ZIP
Recommendations for Setting up Websites in IIS
Raw
IIS Website Recommendations.md

Recommendations for Setting up Websites in IIS

Things to consider while setting up IIS websites

  • Anonymous Access Account
  • Application Pool
  • NTFS Permissions

Setting up an Anonymous Account

  • Method One - Use ApplicationPoolIdentity Instead of IUSR

    The ApplicationPoolIdentity is a special term for one of the corresponding IIS AppPool\<AppPoolAccounts> in the IIS_IUSRS security group.

    The reason is it ties the security context to the Application Pool rather than having the Anonymous Account running as IUSR and the Application pool running as ApplicationPoolIdentity leaving two security contexts to manage.

  • Method Two - Use a Custom Account as the Identity of the Application Pool

    For more control use a Custom Account in place of ApplicationPoolIdentity in the Application Pool Advanced Settings. Borrowing from Method One the Anonymous Account should be set to ApplicationPoolIdentity so there is now only one security context to manage.

    The main benefit to this approach over using IUSR is you know the password for the Custom Account, whereas IIS controls the IUSR password making using it in place of the ApplicationPoolIdentity as the Application Pool Identity troublesome.

Assigning NTFS Permissions

WARNING: UAC (User Account Control) can modify the NTFS permissions when running in "Admin Approval Mode", make sure the setting User Account Control: Run all administrators in Admin Approval Mode is set to False in the Local Group Policy located under Computer settings\Windows settings\Security settings\Local policies\Security options.

Depending on the method used for adding an Anonymous Account to a IIS Website there should be one of two accounts added to the Websites root folder;

  • Method One - IIS_IUSRS (Read Permission)
  • Method Two - Custom Account (Read Permission)

At the basic level the Websites root folder should contain the following permissions;

User Account Permission Notes
Administrators Full Control For File System access.
<IIS Anonymous> Read & Execute Either IIS_IUSRS or a Custom Account.

Don't Inherit Permissions

Recommend disabling Inheritance on the Websites root folder to stop parent permissions propagating down and overwriting any existing permissions, which can be a costly exercise to restore.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment