Default permissions and user rights for IIS 7.0 and later

This article describes the default permissions and user rights that are set on certain folders and files. These folders and files are installed with Microsoft Internet Information Services (IIS) 7.0 and later.

Original product version:   Internet Information Services 8.0
Original KB number:   981949

Permission changes in IIS 6.0, IIS 7.0, and later versions

In IIS 6.0, a local account (IUSR_MachineName) is created when IIS is installed. The IUSR_MachineName account is the default identity that is used by IIS when Anonymous authentication is enabled. Anonymous authentication is used by both the File Transfer Protocol (FTP) service and the HyperText Transfer Protocol (HTTP) service. IIS 6.0 also contains a group that is named IIS_WPG. The IIS_WPG group is used as a container for all Application Pool Identities.

In IIS 7.0 and later, a built-in account (IUSR) replaces the IUSR_MachineName account. Additionally, a group that is named IIS_IUSRS replaces the IIS_WPG group. Because the IUSR account is a built-in account, the IUSR account no longer requires a password. The IUSR account resembles a network or local service account. The IUSR_MachineName account is created and used only when the FTP 6 server that is included on the Windows Server 2008 DVD is installed. If the FTP 6 server isn't installed, the account isn't created.

Beginning in IIS 7.5, a new security feature is added that is called Application Pool Identities. This feature lets you run Application Pools under a unique account without having to create and manage domain or local accounts. The name of the Application Pool account corresponds to the name of the Application Pool.

For more information about IIS 7.0 accounts and groups, visit Understanding built-in user and group accounts in IIS 7.

For more information about Application Pool Identities, visit Application Pool Identities.

Default NTFS file system permissions

The tables in this section list the default New Technology File System (NTFS) permissions that are assigned to certain folders and files. These folders and files are installed together with IIS 7.0, IIS 7.5, IIS 8.0, IIS 8.5, and IIS 10.0.

\inetpub

Users / groups Allowed permissions Comments
CREATOR OWNER Special permissions Equivalent to Full control.
Applies to subfolders and files only.
SYSTEM Full control
Administrators Full control
Users Read & execute
List folder contents
Read
TrustedInstaller Full control

\inetpub\AdminScripts

Users / groups Allowed permissions Comments
CREATOR OWNER Special permissions Equivalent to Full control.
Applies to subfolders and files only.
SYSTEM Full control
Administrators Full control
Users Read & execute
List folder contents
Read
TrustedInstaller Full control

\inetpub\AdminScripts\0409

Users / groups Allowed permissions Comments
CREATOR OWNER Special permissions Equivalent to Full control.
Applies to subfolders and files only.
Inherited from \inetpub\AdminScripts.
SYSTEM Full control Inherited from \inetpub\AdminScripts.
Administrators Full control Inherited from \inetpub\AdminScripts.
Users Read & execute
List folder contents
Read
Inherited from \inetpub\AdminScripts.
TrustedInstaller Full control Inherited from \inetpub\AdminScripts.

\inetpub\custerr

Users / groups Allowed permissions Comments
CREATOR OWNER Special permissions Equivalent to Full control.
Applies to Subfolders and files only.
Inherited from \inetpub.
SYSTEM Full control
Special permissions
Full control is inherited from \inetpub.
Special Permissions are equivalent to Full control.
Applies to this folder only.
Administrators Full control
Special permissions
Full control is inherited from \inetpub.
Equivalent to Full control.
Applies to this folder only.
Users Read & execute
List folder contents
Read
Special permissions
Permissions are inherited from \inetpub except for special permissions.

Special permissions apply to this folder only, and include the following:
  • Traverse folder / execute file
  • List folder / read data
  • Read attributes
  • Read extended attributes
  • Read permissions
TrustedInstaller Full control Inherited from \inetpub.

\inetpub\custerr\en-us

Users / groups Allowed permissions Comments
CREATOR OWNER Special permissions Equivalent to Full control.
Applies to subfolders and files only.
Inherited from \inetpub.
SYSTEM Full control Inherited from \inetpub.
Administrators Full control Inherited from \inetpub.
Users Read & execute
List folder contents
Read
Inherited from \inetpub.
TrustedInstaller Full control Inherited from \inetpub.

\inetpub\ftproot

Users / groups Allowed permissions Comments
CREATOR OWNER Special permissions Equivalent to Full control.
Applies to subfolders and files only.
Inherited from \inetpub.
SYSTEM Full control Inherited from \inetpub.
Administrators Full control Inherited from \inetpub.
Users Read & execute
List folder contents
Read
Inherited from \inetpub.
TrustedInstaller Full control Inherited from \inetpub.

\inetpub\history and subfolders

Users / groups Allowed permissions Comments
SYSTEM Full control
Administrators Full control

\inetpub\logs

Users / groups Allowed permissions Comments
CREATOR OWNER Special permissions Equivalent to Full control.
Applies to subfolders and files only.
Inherited from \inetpub.
SYSTEM Full control Inherited from \inetpub.
Administrators Full control Inherited from \inetpub.
Users Read & execute
List folder contents
Read
Inherited from \inetpub.
WMSvc List folder contents
TrustedInstaller Full control Inherited from \inetpub.

\inetpub\logs\FailedReqLogFiles

Users / groups Allowed permissions Comments
IIS_IUSRS Special permissions Special permissions include the following:
  • List folder / read data
  • Create files / write data
  • Create folders / append data
  • Write attributes
  • Write extended attributes
  • Delete subfolders and files
  • Delete
SYSTEM Full control
Administrators Full control

\inetpub\logs\wmsvc

Users / groups Allowed permissions Comments
CREATOR OWNER Special permissions Equivalent to Full control.
Applies to subfolders and files only.
Inherited from \inetpub.
SYSTEM Full control Inherited from \inetpub.
Administrators Full control Inherited from \inetpub.
Users Read & execute
List folder contents
Read
Inherited from \inetpub.
WMSvc Modify
Read & execute
List folder contents
Read
Write
List folder contents permission is inherited from \inetpub\logs.
TrustedInstaller Full control Inherited from \inetpub.

\inetpub\temp

Users / groups Allowed permissions Comments
CREATOR OWNER Special permissions Equivalent to Full control.
Applies to subfolders and files only.
Inherited from \inetpub.
SYSTEM Full control Inherited from \inetpub.
Administrators Full control Inherited from \inetpub.
Users Read & execute
List folder contents
Read
Inherited from \inetpub.
TrustedInstaller Full control Inherited from \inetpub.

\inetpub\temp\appPools

Users / groups Allowed permissions Comments
CREATOR OWNER Special permissions Equivalent to Full control.
Applies to subfolders and files only.
SYSTEM Full control
Administrators Full control
IIS_IUSRS Read & execute Inherited from \inetpub.

\inetpub\temp\ASP Compiled Templates

Users / groups Allowed permissions Comments
By default, no permissions are assigned to this folder.

\inetpub\temp\IIS Temporary Compressed Files

Users / groups Allowed permissions Comments
SYSTEM Full control
Administrators Full control
IIS_IUSRS Full control

\inetpub\wwwroot

Users / groups Allowed permissions Comments
CREATOR OWNER Special permissions Equivalent to Full control.
Applies to subfolders and files only.
Inherited from \inetpub.
SYSTEM Full control Inherited from \inetpub.
Administrators Full control Inherited from \inetpub.
Users Read & execute
List folder contents
Read
Inherited from \inetpub.
IIS_IUSRS Read & execute
TrustedInstaller Full control Inherited from \inetpub.

\inetpub\wwwroot\aspnet_client

Users / groups Allowed permissions Comments
Everyone Read
SYSTEM Full control
Administrators Full control
Users Read & execute
List folder contents
Read

%windir%\system32\inetsrv

Users / groups Allowed permissions Comments
CREATOR OWNER Special permissions Equivalent to Full control.
Applies to subfolders and files only.
SYSTEM Special permissions Special permissions allowed for the SYSTEM account for this folder only include the following:
  • Traverse folder / execute file
  • List folder / read data
  • Read attributes
  • Read extended attributes
  • Create file / write data
  • Create folders / append data
  • Write attributes
  • Write extended attributes
  • Delete
  • Read permissions

Special permission allowed for SYSTEM for subfolders and files only is equivalent to Full control.
Administrators Special permissions Special permissions allowed for the Administrators group for this folder only include the following:
  • Traverse folder / execute file
  • List folder / read data
  • Read attributes
  • Read extended attributes
  • Create file / write data
  • Create folders / append data
  • Write attributes
  • Write extended attributes
  • Delete
  • Read permissions

Special permission allowed for the Administrators group for subfolders and files only is equivalent to Full control.
Users Read & execute
List folder contents
Read
TrustedInstaller Special permissions Permissions are equivalent to Full control, and apply to this folder and subfolders.

%windir%\System32\inetsrv\0409

Users / groups Allowed permissions Comments
CREATOR OWNER Special permissions Equivalent to Full control.
Applies to subfolders and files only.
Inherited from %windir%\System32\inetsrv.
SYSTEM Full control Inherited from %windir%\System32\inetsrv.
Administrators Full control Inherited from %windir%\System32\inetsrv
Users Read & execute
List folder contents
Read
Inherited from %windir%\System32\inetsrv
TrustedInstaller Special permissions Equivalent to Full control.
Applies to subfolders and files only.
Inherited from %windir%\System32\inetsrv

%windir%\System32\inetsrv\config

Users / groups Allowed permissions Comments
CREATOR OWNER Special permissions Equivalent to Full control.
Applies to subfolders and files only.
SYSTEM Full control
Administrators Full control
Users Read & execute
List folder contents
Read
TrustedInstaller Full control
WMSvc Read

%windir%\System32\inetsrv\config\Export

Users / groups Allowed permissions Comments
CREATOR OWNER Special permissions Equivalent to Full control.
Applies to subfolders and files only.
SYSTEM Full control
Administrators Full control
TrustedInstaller Full control

%windir%\System32\inetsrv\config\schema

Users / groups Allowed permissions Comments
CREATOR OWNER Special permissions Equivalent to Full control.
Applies to subfolders and files only.
SYSTEM Special permissions Special permissions allowed for the SYSTEM account for this folder only include the following:
  • Traverse folder / execute file
  • List folder / read data
  • Read attributes
  • Read extended attributes
  • Create file / write data
  • Create folders / append data
  • Write attributes
  • Write extended attributes
  • Delete
  • Read permissions

Special permission allowed for SYSTEM for subfolders and files only is equivalent to Full control.
Administrators Special permissions Special permissions allowed for the Administrators group for this folder only include the following:
  • Traverse folder / execute file
  • List folder / read data
  • Read attributes
  • Read extended attributes
  • Create file / write data
  • Create folders / append data
  • Write attributes
  • Write extended attributes
  • Delete
  • Read permissions

Special permission allowed for the Administrators group for subfolders and files only is equivalent to Full control.
Users Read & execute
List folder contents
Read
TrustedInstaller Special permissions Equivalent to Full control.
Applies to this folder and subfolders.

%windir%\System32\inetsrv\en-us

Users / groups Allowed permissions Comments
CREATOR OWNER Special permissions Equivalent to Full control.
Applies to subfolders and files only.
SYSTEM Special permissions Special permissions allowed for the SYSTEM account for this folder only include the following:
  • Traverse folder / execute file
  • List folder / read data
  • Read attributes
  • Read extended attributes
  • Create file / write data
  • Create folders / append data
  • Write attributes
  • Write extended attributes
  • Delete
  • Read permissions

Special permission allowed for SYSTEM for subfolders and files only is equivalent to Full control.
Administrators Special permissions Special permissions allowed for the Administrators group for this folder only include the following:
  • Traverse folder / execute file
  • List folder / read data
  • Read attributes
  • Read extended attributes
  • Create file / write data
  • Create folders / append data
  • Write attributes
  • Write extended attributes
  • Delete
  • Read permissions

Special permission allowed for the Administrators group for subfolders and files only is equivalent to Full control.
Users Read & execute
List folder contents
Read
TrustedInstaller List folder contents
Special permissions
Equivalent to Full control.
Applies to this folder and subfolders.

%windir%\System32\inetsrv\History

Users / groups Allowed permissions Comments
Administrators Full control
SYSTEM Full control

%windir%\System32\inetsrv\MetaBack

Users / groups Allowed permissions Comments
Administrators Full control
SYSTEM Full control

Default registry permissions

The tables in this section list the default registry permissions that are assigned when IIS 7.0, IIS 7.5, IIS 8.0, or IIS 8.5 is installed. When Read permissions are listed for users, the following permissions are included:

  • Query Value
  • Enumerate Subkeys
  • Notify
  • Read Control

HKEY_LOCAL_MACHINE\Software\Microsoft\Inetmgr

Users / groups Allowed permissions Comments
CREATOR OWNER Special permissions Equivalent to Full control.
Applies to subkeys only.
SYSTEM Full control
Administrators Full control
Users Read

HKEY_LOCAL_MACHINE\Software\Microsoft\InetStp

Users / groups Allowed permissions Comments
CREATOR OWNER Special permissions Equivalent to Full control.
Applies to subkeys only.
SYSTEM Full control
Administrators Full control
Users Read

HKEY_LOCAL_MACHINE\Software\Microsoft\W3SVC

Users / groups Allowed permissions Comments
CREATOR OWNER Special permissions Equivalent to Full control.
Applies to subkeys only.
SYSTEM Full control
Administrators Full control
Users Read

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\ASP

Users / groups Allowed permissions Comments
CREATOR OWNER Special permissions Equivalent to Full control.
Applies to subkeys only.
SYSTEM Full control
Administrators Full control
Users Read

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\ASP.NET

Users / groups Allowed permissions Comments
CREATOR OWNER Special permissions Equivalent to Full control.
Applies to subkeys only.
SYSTEM Full control
Administrators Full control
Users Read

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\ASP.NET_2.0.50727

Users / groups Allowed permissions Comments
CREATOR OWNER Special permissions Equivalent to Full control.
Applies to subkeys only.
SYSTEM Full control
Administrators Full control
Users Read

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\aspnet_state

Users / groups Allowed permissions Comments
CREATOR OWNER Special permissions Equivalent to Full control.
Applies to subkeys only.
SYSTEM Full control
Administrators Full control
Users Read

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\HTTP

Users / groups Allowed permissions Comments
CREATOR OWNER Special permissions Equivalent to Full control.
Applies to subkeys only.
SYSTEM Full control
Administrators Full control
Users Read

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\IISAdmin

Users / groups Allowed permissions Comments
CREATOR OWNER Special permissions Equivalent to Full control.
Applies to subkeys only.
SYSTEM Full control
Administrators Full control
Users Read

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\W3SVC

Users / groups Allowed permissions Comments
CREATOR OWNER Special permissions Equivalent to Full control.
Applies to subkeys only.
SYSTEM Full control
Administrators Full control
Users Read

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\WAS

Users / groups Allowed permissions Comments
CREATOR OWNER Special permissions Equivalent to Full control.
Applies to subkeys only.
SYSTEM Full control
Administrators Full control
Users Read

Note

The WAS key is for the Windows Process Activation Service. This is a required dependency and is installed together with IIS.

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\WMsvc

Users / groups Allowed permissions Comments
CREATOR OWNER Special permissions Equivalent to Full control.
Applies to subkeys only.
SYSTEM Full control
Administrators Full control
Users Read

Default Windows user rights assignments

The table in this section lists the default local security policies and the users, the groups, or the users and groups that are assigned to the policy when IIS 7.0, IIS 7.5, IIS 8.0, or IIS 8.5 is installed.

Windows user rights that are assigned by local security policy

Allowed permissions Users / groups
Access this computer from the network Everyone
Administrators
Users
Backup operators
Adjust memory quotas for a process LOCAL SERVICE
NETWORK SERVICE
Administrators
ApplicationPoolIdentity
Allow log on locally Administrators
Users
Backup operators
Bypass traverse checking Everyone
LOCAL SERVICE
NETWORK SERVICE
Administrators
Users
Backup operators
Generate security audits ApplicationPoolIdentity
Impersonate a client after authentication LOCAL SERVICE
NETWORK SERVICE
Administrators
IIS_IUSRS
SERVICE
Log on as a batch job Administrators
Backup operators
Performance log users
IIS_IUSRS
Log on as a service ApplicationPoolIdentity
Replace a process level token LOCAL SERVICE
NETWORK SERVICE
ApplicationPoolIdentity