I had a request from a client to review the NTFS permissions on their IIS web servers. They are running public sites on IIS 8.5 with anonymous access.
They had not changed the default NTFS permissions but run into the problem that not all users on the server should have access to their web files.
Lets look at the default ACLs:
icacls C:\inetpub\wwwroot
gives us:
BUILTIN\IIS_IUSRS:(RX)
BUILTIN\IIS_IUSRS:(OI)(CI)(IO)(GR,GE)
NT SERVICE\TrustedInstaller:(I)(F)
NT SERVICE\TrustedInstaller:(I)(OI)(CI)(IO)(F)
NT AUTHORITY\SYSTEM:(I)(F)
NT AUTHORITY\SYSTEM:(I)(OI)(CI)(IO)(F)
BUILTIN\Administrators:(I)(F)
BUILTIN\Administrators:(I)(OI)(CI)(IO)(F)
BUILTIN\Users:(I)(RX)
BUILTIN\Users:(I)(OI)(CI)(IO)(GR,GE)
CREATOR OWNER:(I)(OI)(CI)(IO)(F)
The problem here is the users entry. It allows any user on the server to read the files in wwwroot.
Removing the users entry results in a 401.3 http status. Why is read-access for the builtin IIS_IUSRS not enough?
After all the working process for the Application pool runs under IIS APPPOOL\DefaultAppPool, which is automatically a member of the IIS_IUSRS group.
If we give the builtin user IUSR read access, the site works again, this is because IIS impersonates the IUSR account to access files when in anonymous mode.
So the first option is to replace users with IUSR. In general I like to avoid using single user accounts in Access Control Lists, even if there are builtin ones.
There is an option to solve this without using IUSR, we just have to tell IIS not to use it.
On the machine or site level we can specify which account to use for impersonation when using anonymous authentication, by default this is IUSR, but if we change that to Application pool identity we already have the correct permissions in place.
For the whole server:
Set-WebConfigurationProperty -pspath 'MACHINE/WEBROOT/APPHOST' -filter "system.webServer/security/authentication/anonymousAuthentication" -name "userName" -value ""
For a specific site:
Set-WebConfigurationProperty -pspath 'MACHINE/WEBROOT/APPHOST' -location 'SiteName' -filter "system.webServer/security/authentication/anonymousAuthentication" -name "userName" -value ""
In other cases you may want to be more specific about your NTFS permissions and only allow the specific AppPool to access any files for the sites it handles. In this case remove IIS_IUSRS as well.