I'm trying to understand how IIS permissions works because I had a weird scenario today..
So one of the developers installed IIS 10 on the server and created a site under C:\WebSites\Site1
Now, that particular site is also writing some txt log files to C:\Site1-Logs.
The Application Pool of Site1 is running as "ApplicationPoolIdentity".
Theoretically, The user running the site (IIS AppPool\Site1) should have the permission to write/create txt files under C:\Site1-Logs directory with out manually setting a permission for that?
Because I couldn't find any where under Security tab anything related to IIS_USRS group or "IIS AppPool\Site1" user.
When I tried to move the logs writing to another partition (E:) I had to give a writing permission to "IIS AppPool\Site1" and I can actually see the permission under Security tab.
So maybe I'm missing something? By default the IIS is installed as a system service and he already granted with permissions to write to C: ?
There is a best practice for that in terms of security? is it ok to run web applications under C: ?
Thanks and sorry for the bad explanation 😛
icacls C:\Site1-Logs
C:\Site1-Logs NT AUTHORITY\SYSTEM:(I)(OI)(CI)(F)
BUILTIN\Administrators:(I)(OI)(CI)(F)
BUILTIN\Users:(I)(OI)(CI)(RX)
BUILTIN\Users:(I)(CI)(AD)
BUILTIN\Users:(I)(CI)(WD)
CREATOR OWNER:(I)(OI)(CI)(IO)(F)
Best Answer
The group
BUILTIN\Users
has Write Access to yourC:\Site1-Logs
directory.The user
IIS AppPool\Site1
is automatically a member of theUsers
group because that is a special group under Windows.This is why your web-site has write access.
You can't remove
IIS AppPool\Site1
fromusers
, but you could remove the permissions of theusers
groups from the directory.