Migrating a Web Server to IIS 5.0

Setting IIS 5.0 Permissions

You set additional access permissions for Web users in the IIS snap-in. The easiest way to set up basic IIS 5.0 security is to use the Permissions Wizard. To start the wizard, in the IIS snap-in select the Web site or directory for which you want to set permissions, click Action on the toolbar, point to All Tasks, and then click Permissions Wizard.

You can also configure security on Web Site property sheets. The following are some rules-of-thumb for setting IIS 5.0 permissions based on the type of access you want to provide. You might need to implement security differently than described here, depending on the requirements of your particular system. For more information about setting access permissions, see the “Access Control” topic in the IIS 5.0 online product documentation and Security in this book.

Note If NTFS file and directory access permissions do not match the access permissions set in the IIS snap-in, the more restrictive settings take effect.

Web and FTP Site Anonymous Access To protect the information on your computer, restrict access by anonymous users. To do this, in the IIS snap-in deny all access to the anonymous user account, which is IUSR_computername by default. Next, select the specific files and directories under the root to which you want to allow anonymous access and enable the appropriate permissions for the anonymous user account. To override the access restrictions you set at the root level for these files and directories, clear the Allow inheritable permissions from parent to propagate to this object check box.
Web and FTP Site Authenticated Access To require users to provide a valid user name and password in order to access a Web or FTP site, in the IIS snap-in disable anonymous access on the Directory Security tab of Web Site Properties or FTP Site Properties. For Web sites, you can then select the type of authentication: Basic, Digest, or integrated Windows authentication. For more information, see the “Authentication” topic in the IIS 5.0 online product documentation and Security in this book.
By default IIS 5.0 attempts to authenticate Web and FTP users from the local user database. For a Web site, you can change authentication to the domain user database from within the IIS snap-in. For an FTP site, you must modify the DefaultLogonDomain metabase property for the FTP service. To do this, you can use the IIS Administration Script Utility (Adsutil.exe), installed with IIS 5.0, as follows:
At the command prompt, type:
adsutil.exe set msftpsvc/DefaultLogonDomain “Name of Your Domain”
Note To set up an FTP site where users can upload files, but not see files already uploaded to the site by other users, use virtual directories. Enable Write, but not Read, permission for the user accounts. Give Read permission to the Administrator account only.