Default permissions and user rights for IIS 7.0 and later
This article describes the default permissions and user rights that are set on certain folders and files. These folders and files are installed with Microsoft Internet Information Services (IIS) 7.0 and later.
Original product version: Internet Information Services 8.0
Original KB number: 981949
Permission changes in IIS 6.0, IIS 7.0, and later versions
In IIS 6.0, a local account (IUSR_MachineName
) is created when IIS is installed. The IUSR_MachineName
account is the default identity that is used by IIS when Anonymous authentication is enabled. Anonymous authentication is used by both the File Transfer Protocol (FTP) service and the HyperText Transfer Protocol (HTTP) service. IIS 6.0 also contains a group that is named IIS_WPG
. The IIS_WPG
group is used as a container for all Application Pool Identities.
In IIS 7.0 and later, a built-in account (IUSR) replaces the IUSR_MachineName
account. Additionally, a group that is named IIS_IUSRS
replaces the IIS_WPG
group. Because the IUSR account is a built-in account, the IUSR account no longer requires a password. The IUSR account resembles a network or local service account. The IUSR_MachineName
account is created and used only when the FTP 6 server that is included on the Windows Server 2008 DVD is installed. If the FTP 6 server isn't installed, the account isn't created.
Beginning in IIS 7.5, a new security feature is added that is called Application Pool Identities. This feature lets you run Application Pools under a unique account without having to create and manage domain or local accounts. The name of the Application Pool account corresponds to the name of the Application Pool.
For more information about IIS 7.0 accounts and groups, visit Understanding built-in user and group accounts in IIS 7.
For more information about Application Pool Identities, visit Application Pool Identities.
Default NTFS file system permissions
The tables in this section list the default New Technology File System (NTFS) permissions that are assigned to certain folders and files. These folders and files are installed together with IIS 7.0, IIS 7.5, IIS 8.0, IIS 8.5, and IIS 10.0.
\inetpub
Users / groups | Allowed permissions | Comments |
---|---|---|
CREATOR OWNER | Special permissions | Equivalent to Full control. Applies to subfolders and files only. |
SYSTEM | Full control | |
Administrators | Full control | |
Users | Read & execute List folder contents Read |
|
TrustedInstaller | Full control |
\inetpub\AdminScripts
Users / groups | Allowed permissions | Comments |
---|---|---|
CREATOR OWNER | Special permissions | Equivalent to Full control. Applies to subfolders and files only. |
SYSTEM | Full control | |
Administrators | Full control | |
Users | Read & execute List folder contents Read |
|
TrustedInstaller | Full control |
\inetpub\AdminScripts\0409
Users / groups | Allowed permissions | Comments |
---|---|---|
CREATOR OWNER | Special permissions | Equivalent to Full control. Applies to subfolders and files only. Inherited from \inetpub\AdminScripts . |
SYSTEM | Full control | Inherited from \inetpub\AdminScripts . |
Administrators | Full control | Inherited from \inetpub\AdminScripts . |
Users | Read & execute List folder contents Read |
Inherited from \inetpub\AdminScripts . |
TrustedInstaller | Full control | Inherited from \inetpub\AdminScripts . |
\inetpub\custerr
Users / groups | Allowed permissions | Comments |
---|---|---|
CREATOR OWNER | Special permissions | Equivalent to Full control. Applies to Subfolders and files only. Inherited from \inetpub . |
SYSTEM | Full control Special permissions |
Full control is inherited from \inetpub .Special Permissions are equivalent to Full control. Applies to this folder only. |
Administrators | Full control Special permissions |
Full control is inherited from \inetpub .Equivalent to Full control. Applies to this folder only. |
Users | Read & execute List folder contents Read Special permissions |
Permissions are inherited from \inetpub except for special permissions.Special permissions apply to this folder only, and include the following:
|
TrustedInstaller | Full control | Inherited from \inetpub . |
\inetpub\custerr\en-us
Users / groups | Allowed permissions | Comments |
---|---|---|
CREATOR OWNER | Special permissions | Equivalent to Full control. Applies to subfolders and files only. Inherited from \inetpub . |
SYSTEM | Full control | Inherited from \inetpub . |
Administrators | Full control | Inherited from \inetpub . |
Users | Read & execute List folder contents Read |
Inherited from \inetpub . |
TrustedInstaller | Full control | Inherited from \inetpub . |
\inetpub\ftproot
Users / groups | Allowed permissions | Comments |
---|---|---|
CREATOR OWNER | Special permissions | Equivalent to Full control. Applies to subfolders and files only. Inherited from \inetpub . |
SYSTEM | Full control | Inherited from \inetpub . |
Administrators | Full control | Inherited from \inetpub . |
Users | Read & execute List folder contents Read |
Inherited from \inetpub . |
TrustedInstaller | Full control | Inherited from \inetpub . |
\inetpub\history and subfolders
Users / groups | Allowed permissions | Comments |
---|---|---|
SYSTEM | Full control | |
Administrators | Full control |
\inetpub\logs
Users / groups | Allowed permissions | Comments |
---|---|---|
CREATOR OWNER | Special permissions | Equivalent to Full control. Applies to subfolders and files only. Inherited from \inetpub . |
SYSTEM | Full control | Inherited from \inetpub . |
Administrators | Full control | Inherited from \inetpub . |
Users | Read & execute List folder contents Read |
Inherited from \inetpub . |
WMSvc | List folder contents | |
TrustedInstaller | Full control | Inherited from \inetpub . |
\inetpub\logs\FailedReqLogFiles
Users / groups | Allowed permissions | Comments |
---|---|---|
IIS_IUSRS | Special permissions | Special permissions include the following:
|
SYSTEM | Full control | |
Administrators | Full control |
\inetpub\logs\wmsvc
Users / groups | Allowed permissions | Comments |
---|---|---|
CREATOR OWNER | Special permissions | Equivalent to Full control. Applies to subfolders and files only. Inherited from \inetpub . |
SYSTEM | Full control | Inherited from \inetpub . |
Administrators | Full control | Inherited from \inetpub . |
Users | Read & execute List folder contents Read |
Inherited from \inetpub . |
WMSvc | Modify Read & execute List folder contents Read Write |
List folder contents permission is inherited from \inetpub\logs . |
TrustedInstaller | Full control | Inherited from \inetpub . |
\inetpub\temp
Users / groups | Allowed permissions | Comments |
---|---|---|
CREATOR OWNER | Special permissions | Equivalent to Full control. Applies to subfolders and files only. Inherited from \inetpub . |
SYSTEM | Full control | Inherited from \inetpub . |
Administrators | Full control | Inherited from \inetpub . |
Users | Read & execute List folder contents Read |
Inherited from \inetpub . |
TrustedInstaller | Full control | Inherited from \inetpub . |
\inetpub\temp\appPools
Users / groups | Allowed permissions | Comments |
---|---|---|
CREATOR OWNER | Special permissions | Equivalent to Full control. Applies to subfolders and files only. |
SYSTEM | Full control | |
Administrators | Full control | |
IIS_IUSRS | Read & execute | Inherited from \inetpub . |
\inetpub\temp\ASP Compiled Templates
Users / groups | Allowed permissions | Comments |
---|---|---|
By default, no permissions are assigned to this folder. |
\inetpub\temp\IIS Temporary Compressed Files
Users / groups | Allowed permissions | Comments |
---|---|---|
SYSTEM | Full control | |
Administrators | Full control | |
IIS_IUSRS | Full control |
\inetpub\wwwroot
Users / groups | Allowed permissions | Comments |
---|---|---|
CREATOR OWNER | Special permissions | Equivalent to Full control. Applies to subfolders and files only. Inherited from \inetpub . |
SYSTEM | Full control | Inherited from \inetpub . |
Administrators | Full control | Inherited from \inetpub . |
Users | Read & execute List folder contents Read |
Inherited from \inetpub . |
IIS_IUSRS | Read & execute | |
TrustedInstaller | Full control | Inherited from \inetpub . |
\inetpub\wwwroot\aspnet_client
Users / groups | Allowed permissions | Comments |
---|---|---|
Everyone | Read | |
SYSTEM | Full control | |
Administrators | Full control | |
Users | Read & execute List folder contents Read |
%windir%\system32\inetsrv
Users / groups | Allowed permissions | Comments |
---|---|---|
CREATOR OWNER | Special permissions | Equivalent to Full control. Applies to subfolders and files only. |
SYSTEM | Special permissions | Special permissions allowed for the SYSTEM account for this folder only include the following:
Special permission allowed for SYSTEM for subfolders and files only is equivalent to Full control. |
Administrators | Special permissions | Special permissions allowed for the Administrators group for this folder only include the following:
Special permission allowed for the Administrators group for subfolders and files only is equivalent to Full control. |
Users | Read & execute List folder contents Read |
|
TrustedInstaller | Special permissions | Permissions are equivalent to Full control, and apply to this folder and subfolders. |
%windir%\System32\inetsrv\0409
Users / groups | Allowed permissions | Comments |
---|---|---|
CREATOR OWNER | Special permissions | Equivalent to Full control. Applies to subfolders and files only. Inherited from %windir%\System32\inetsrv . |
SYSTEM | Full control | Inherited from %windir%\System32\inetsrv . |
Administrators | Full control | Inherited from %windir%\System32\inetsrv |
Users | Read & execute List folder contents Read |
Inherited from %windir%\System32\inetsrv |
TrustedInstaller | Special permissions | Equivalent to Full control. Applies to subfolders and files only. Inherited from %windir%\System32\inetsrv |
%windir%\System32\inetsrv\config
Users / groups | Allowed permissions | Comments |
---|---|---|
CREATOR OWNER | Special permissions | Equivalent to Full control. Applies to subfolders and files only. |
SYSTEM | Full control | |
Administrators | Full control | |
Users | Read & execute List folder contents Read |
|
TrustedInstaller | Full control | |
WMSvc | Read |
%windir%\System32\inetsrv\config\Export
Users / groups | Allowed permissions | Comments |
---|---|---|
CREATOR OWNER | Special permissions | Equivalent to Full control. Applies to subfolders and files only. |
SYSTEM | Full control | |
Administrators | Full control | |
TrustedInstaller | Full control |
%windir%\System32\inetsrv\config\schema
Users / groups | Allowed permissions | Comments |
---|---|---|
CREATOR OWNER | Special permissions | Equivalent to Full control. Applies to subfolders and files only. |
SYSTEM | Special permissions | Special permissions allowed for the SYSTEM account for this folder only include the following:
Special permission allowed for SYSTEM for subfolders and files only is equivalent to Full control. |
Administrators | Special permissions | Special permissions allowed for the Administrators group for this folder only include the following:
Special permission allowed for the Administrators group for subfolders and files only is equivalent to Full control. |
Users | Read & execute List folder contents Read |
|
TrustedInstaller | Special permissions | Equivalent to Full control. Applies to this folder and subfolders. |
%windir%\System32\inetsrv\en-us
Users / groups | Allowed permissions | Comments |
---|---|---|
CREATOR OWNER | Special permissions | Equivalent to Full control. Applies to subfolders and files only. |
SYSTEM | Special permissions | Special permissions allowed for the SYSTEM account for this folder only include the following:
Special permission allowed for SYSTEM for subfolders and files only is equivalent to Full control. |
Administrators | Special permissions | Special permissions allowed for the Administrators group for this folder only include the following:
Special permission allowed for the Administrators group for subfolders and files only is equivalent to Full control. |
Users | Read & execute List folder contents Read |
|
TrustedInstaller | List folder contents Special permissions |
Equivalent to Full control. Applies to this folder and subfolders. |
%windir%\System32\inetsrv\History
Users / groups | Allowed permissions | Comments |
---|---|---|
Administrators | Full control | |
SYSTEM | Full control |
%windir%\System32\inetsrv\MetaBack
Users / groups | Allowed permissions | Comments |
---|---|---|
Administrators | Full control | |
SYSTEM | Full control |
Default registry permissions
The tables in this section list the default registry permissions that are assigned when IIS 7.0, IIS 7.5, IIS 8.0, or IIS 8.5 is installed. When Read permissions are listed for users, the following permissions are included:
- Query Value
- Enumerate Subkeys
- Notify
- Read Control
HKEY_LOCAL_MACHINE\Software\Microsoft\Inetmgr
Users / groups | Allowed permissions | Comments |
---|---|---|
CREATOR OWNER | Special permissions | Equivalent to Full control. Applies to subkeys only. |
SYSTEM | Full control | |
Administrators | Full control | |
Users | Read |
HKEY_LOCAL_MACHINE\Software\Microsoft\InetStp
Users / groups | Allowed permissions | Comments |
---|---|---|
CREATOR OWNER | Special permissions | Equivalent to Full control. Applies to subkeys only. |
SYSTEM | Full control | |
Administrators | Full control | |
Users | Read |
HKEY_LOCAL_MACHINE\Software\Microsoft\W3SVC
Users / groups | Allowed permissions | Comments |
---|---|---|
CREATOR OWNER | Special permissions | Equivalent to Full control. Applies to subkeys only. |
SYSTEM | Full control | |
Administrators | Full control | |
Users | Read |
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\ASP
Users / groups | Allowed permissions | Comments |
---|---|---|
CREATOR OWNER | Special permissions | Equivalent to Full control. Applies to subkeys only. |
SYSTEM | Full control | |
Administrators | Full control | |
Users | Read |
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\ASP.NET
Users / groups | Allowed permissions | Comments |
---|---|---|
CREATOR OWNER | Special permissions | Equivalent to Full control. Applies to subkeys only. |
SYSTEM | Full control | |
Administrators | Full control | |
Users | Read |
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\ASP.NET_2.0.50727
Users / groups | Allowed permissions | Comments |
---|---|---|
CREATOR OWNER | Special permissions | Equivalent to Full control. Applies to subkeys only. |
SYSTEM | Full control | |
Administrators | Full control | |
Users | Read |
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\aspnet_state
Users / groups | Allowed permissions | Comments |
---|---|---|
CREATOR OWNER | Special permissions | Equivalent to Full control. Applies to subkeys only. |
SYSTEM | Full control | |
Administrators | Full control | |
Users | Read |
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\HTTP
Users / groups | Allowed permissions | Comments |
---|---|---|
CREATOR OWNER | Special permissions | Equivalent to Full control. Applies to subkeys only. |
SYSTEM | Full control | |
Administrators | Full control | |
Users | Read |
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\IISAdmin
Users / groups | Allowed permissions | Comments |
---|---|---|
CREATOR OWNER | Special permissions | Equivalent to Full control. Applies to subkeys only. |
SYSTEM | Full control | |
Administrators | Full control | |
Users | Read |
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\W3SVC
Users / groups | Allowed permissions | Comments |
---|---|---|
CREATOR OWNER | Special permissions | Equivalent to Full control. Applies to subkeys only. |
SYSTEM | Full control | |
Administrators | Full control | |
Users | Read |
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\WAS
Users / groups | Allowed permissions | Comments |
---|---|---|
CREATOR OWNER | Special permissions | Equivalent to Full control. Applies to subkeys only. |
SYSTEM | Full control | |
Administrators | Full control | |
Users | Read |
Note
The WAS key is for the Windows Process Activation Service. This is a required dependency and is installed together with IIS.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\WMsvc
Users / groups | Allowed permissions | Comments |
---|---|---|
CREATOR OWNER | Special permissions | Equivalent to Full control. Applies to subkeys only. |
SYSTEM | Full control | |
Administrators | Full control | |
Users | Read |
Default Windows user rights assignments
The table in this section lists the default local security policies and the users, the groups, or the users and groups that are assigned to the policy when IIS 7.0, IIS 7.5, IIS 8.0, or IIS 8.5 is installed.
Windows user rights that are assigned by local security policy
Allowed permissions | Users / groups |
---|---|
Access this computer from the network | Everyone Administrators Users Backup operators |
Adjust memory quotas for a process | LOCAL SERVICE NETWORK SERVICE Administrators ApplicationPoolIdentity |
Allow log on locally | Administrators Users Backup operators |
Bypass traverse checking | Everyone LOCAL SERVICE NETWORK SERVICE Administrators Users Backup operators |
Generate security audits | ApplicationPoolIdentity |
Impersonate a client after authentication | LOCAL SERVICE NETWORK SERVICE Administrators IIS_IUSRS SERVICE |
Log on as a batch job | Administrators Backup operators Performance log users IIS_IUSRS |
Log on as a service | ApplicationPoolIdentity |
Replace a process level token | LOCAL SERVICE NETWORK SERVICE ApplicationPoolIdentity |