IIS 7.0/IIS 7.5 Defaults and Configuration Manager 2007 Interaction – Part I

Recently I was asked about the default permissions for IIS 7.0 and 7.5 so I start doing some digging and testing. 

You might ask why is this important? Well if someone changes the permissions or a policy is applied to your server it will be extremely important to have a good idea of what has been changed. This is a good starting point.The information below is what I came up with so far.

 

IIS 7.0/IIS 7.5 Default Permissions

Currently there is no article outlining the default permissions for IIS 7.0 and 7.5 however I have put together the following guidelines for your reference.

• If you install Windows 2008 (not R2) by default it will install IIS 7.0 and you have to download the Webdav components.
• If you install Windows 2008 R2(R2 rocks) by default it will install IIS 7.5 and Webdav is part of Server Manager Roles(you just enabled it)
• I have some advisory information on WebDav for future installed. I provided my blog link that talks about WebDav in one of my previous blog posting  https://blogs.msdn.com/rodneyj/archive/2009/05/18/client-install-fails-when-connecting-to-windows-2008.aspx

New IIS Accounts :

· IIS_IUSRS (a new built-in group), as it replaces IIS_WPG and is already granted the minimum rights required to start up a worker process.

· IUSR built in account replaced the IUSR_Machine Name

· Both of these accounts are granted the minimum rights required to start up a worker process.

· Do not modify these accounts.

Understanding the Built-In User and Group Accounts in IIS 7.0

https://learn.iis.net/page.aspx/140/understanding-the-built-in-user-and-group-accounts-in-iis-70

Policies and Security Settings:

I Installed SQL 2008, Windows 2008 R2, Webdav, SCCM 2007 SP2 and highlighted a few changes:

Local Users and Groups

Default Membership is listed below:

“Users” Membership:

• Administrator
• Guests

“Group” Membership: