As a learning experience I'm setting up (and trying to harden) a Windows 2008R2 web server.
My web sites are stored on a separate partition and are organized as below:
/domains
/somedomain.com
/logs
/wwwroot
/anotherdomain.com
/logs
/wwwroot
I've removed the default permissions for the "Users" group from the "domains" directory.
Here are the permissions for /domains
D:\Domains NT AUTHORITY\SYSTEM:(OI)(CI)F
BUILTIN\Administrators:(OI)(CI)F
CREATOR OWNER:(OI)(CI)(IO)F
Each web site is configured with a separate application pool running under AppPoolIdentity.
I've granted modify rights to the "wwwroot" for the appropriate application pool user and read permissions for the anonymous user:
D:\domains\somedomain.com\wwwroot IIS APPPOOL\somedomain.com:(OI)(CI)C
NT AUTHORITY\IUSR:(OI)(CI)R
NT AUTHORITY\SYSTEM:(OI)(CI)(ID)F
BUILTIN\Administrators:(OI)(CI)(ID)F
CREATOR OWNER:(OI)(CI)(IO)(ID)F
Is there anything else that I am missing regarding the directory permissions?
Best Answer
I'm doing something similar, but still differently:
Why do you need Modify rights granted to
wwwrootfolder? Read & Execute is enough and only grant Modify when required (e.g.temp,upload,cachefolders -- where content will be created/changed, for example by website app (PHP/ASP.NET etc)).I grant "Read & Execute" to
D:\domains\somedomain.com(it is enough) and Modify to a specific folders:D:\domains\somedomain.com\var. If I have an app/script that requires Modify right on web-accessible folder (for example, LiveZilla live chat software), then I grant it there, e.g.D:\domains\somedomain.com\wwwroot\livechat\banners.I do not use IUSR user -- I'm using "Application pool identity" instead:
I do not have "CREATOR OWNER" at all (it was causing problems when running PHP scripts -- unable to execute them at all + something else (don't remember now), so I have removed it from the whole
D:\domains). I pretty much have: SYSTEM, Admins, APP_POOL_SPECIFIC_ID, SPECIFIC_FTP_USER.The above works fine for me on 6 servers with no issues so far (Am I lucky?).