I added and gave the "Authenticated User" group modify/read/list/write permissions to one sub-folder inside the wwwroot folder. Will doing this cause a security hole?
Is so, what is a better alternative? Better still, is there a way I can give only the PHP.exe permission to write to this directory?
I did this to allow PHP (using Joom!a CMS) to be able to write to certain directories within that sub-directory. However, just giving the IIS_IUSRS or IUSR write and modify access did not work.
Best Answer
As a baseline, giving anything Write access in a content folder is a potentially exploitable hole. If someone can write to that location, they can create (for example) unauthorized or unexpected code, or defacement, in that location.
PHP is a process that runs with a user identity; processes don't have an inherent identity on their own*, they act on behalf of the identity that starts them.
To answer the "better alternative" question: If your app needs it, you need it. But you're at the mercy of the app getting its security (and security of any internal published applications, scripts or tools) right.
*pedantry corner: Obviously, processes have a process token; the question implied it was possible to grant permissions directly to an EXE and not the user of that EXE, which isn't possible.