Setting Web and FTP Permissions

It is important to understand the distinction between Web and FTP permissions, and NTFS permissions. Unlike NTFS, Web and FTP permissions apply to all users accessing your Web and FTP sites. NTFS permissions apply only to a specific user or group of users with a valid Windows account. NTFS controls access to physical directories on your server, whereas Web and FTP permissions control access to virtual directories on your Web or FTP site. For more information, see Web and FTP Sites.

By default, Web and FTP access permissions use the Windows account IUSR_computername. When users access your site, using anonymous authentication, they use this account. By default, IUSR_computername is given NTFS permissions by IIS for the actual folders that comprise the Web or FTP site. You can, however, change these permissions for any folder or file in your site. For example, you can use Web permissions to control whether users visiting your Web site are allowed to view a particular page, upload information, or run scripts on the site. For more information, see About Access Control.

Important

If Web or FTP permissions differ from NTFS permissions for a directory or file, the more restrictive settings are used.
IIS will prompt you for permission to reset the properties of individual directories and files when you attempt to set security properties for your Web site, FTP site, or a virtual directory. If you choose to reset these properties, your previous security settings will be replaced by the new settings. For more information about setting properties, see the Properties and Inheritance of Properties on Sites section in About Web and FTP Sites.
Distributed Authoring and Versioning (WebDAV) is an extension to the HTTP 1.1 standard for exposing any storage media, such as a file system, over an HTTP connection. With the IIS implementation of WebDAV, you can allow remote authors to create, move, search, or delete files and directories on your server. Because WebDAV is an implementation of the HTTP 1.1 proposed draft, it is not available for non-HTTP services, such as FTP sites. For more information, see WebDAV Publishing.

To set permissions for Web content (including WebDAV)

In the IIS snap-in, select a Web site, virtual directory, or file, and open its property sheets.
On the Home Directory, Virtual Directory, or File property sheet, select or clear any of the following check boxes (if available):

Read (selected by default) Users can view directory or file content and properties.
Write Users can change directory or file content and properties.
Script Source Access Users can access source files. If Read is selected, then source can be read, if Write is selected, then source can be written to. Script Source Access includes the source code for scripts, such as the scripts in an ASP application. This option is not available if neither Read nor Write is selected.
Directory browsing Users can view file lists and collections.
Log visits A log entry is created for each visit to the Web site.
Index this resource Allows Indexing Service to index this resource. This allows searches to be performed on the resource.

Under Execute Permissions select the appropriate level of script execution:

None Don't run scripts, such as ASP applications, or executables on the server.
Scripts only Run only scripts, such as ASP applications, on the server.
Scripts and Executables Run both scripts, such as ASP applications, and executables on the server.

Click OK.

Notes

Disabling permissions restricts all users. For example, disabling the Read permission restricts all users from viewing a file, regardless of the NTFS permissions applied to those users' accounts. However, enabling the Read permission can allow all users to view that file, unless NTFS permissions that restrict access have also been applied.
If both IIS and NTFS permissions are set, the permissions that explicitly deny access take precedence over permissions that grant access.

Important When you select Script Source Access, users may be able to view sensitive information, such as a user name and password, from the scripts in an ASP application. They may also be able to change source code that runs on your server, and seriously affect your server's security and performance. Access to these types of information and functions are best utilized through individual Windows accounts and higher-level authentication, such as Digest or integrated Windows authentication.

To set permissions for FTP content

In the IIS snap-in, select an FTP site, virtual directory, or file, and open its property sheets.
On the Home Directory, Virtual Directory, or File property sheet, select or clear any of the following check box options:

Read Users can view file contents.
Write Users can change file contents.
Log visits You can record user visits in a log file.

Note Problems starting out-of-process applications after changing the account information may be a result of the user account's name and password information not being synchronized after the change. You might receive Event Log errors telling you that your IWAM_computername account could not be logged on. If you encounter this problem, run the synciwam script to synchronize the passwords. To run the script, at the command prompt type: cscript synciwam.vbs [-v|-h]

-v uses verbose mode and prints a log of the script's activity.

-h prints the script Help information.

The synciwam.vbs file is located here: %systemdrive%\inetpub\adminscripts

For more information about these property sheets, click Help on the appropriate property sheet.