Access Control Lists (ACLs)

Windows NT Server protects information resources by requiring assigned user accounts and password authentication. A system administrator can control access to these resources by defining a user's access level. Perhaps the greatest advantage of integrating the Internet Information Server with Windows NT Server is that there is no need to duplicate a directory of user accounts. Internet Information Server uses the Windows NT Server directory database of user accounts.

In the Windows NT Server File System (NTFS), the system administrator adds a user to an Access Control List. The ACL allows the user to access a file, and at the same time, the ACL can prevent the user from copying or executing a file.

Note

Internet Information Server always uses the identity of the WWW or FTP client before attempting to access a file or program. (If anonymous access is being used, then the WWW server uses the IUSR_computername account.) For better security and flexibility than you can get with FAT partitions, use an NTFS partition for all Internet services ¾ WWW, FTP, and Gopher — and for all virtual directories.

Because client applications need access to server directories to load dynamic-link libraries (DLLs), an incorrectly configured Access Control List can result in unavailable files and resources. Therefore, when designing your IIS services, always keep in mind the full range of data files and DLLs that a user might need. If you set up directories that contain the necessary files for your users and assign the directory and folders the correct level of NTFS permissions, you can guarantee security while providing uninterrupted service to your users.