Migrating a Web Server to IIS 5.0

Setting NTFS Permissions

To protect your Web server from unwanted intrusions, you can set access permissions by user and group account for each file or directory stored in the Windows NTFS file system. Permissions set on a directory apply to each file within the directory. However, if a file within the directory has more restrictive settings, the more restrictive settings apply. For information about setting NTFS permissions, see the “Setting NTFS Permissions for a Directory or File” topic in the IIS 5.0 online product documentation. Note that you cannot set these access permissions for files and directories stored in a FAT file system.

The following are a few guidelines for configuring NTFS permissions for user and group accounts used by IIS 5.0:

Anonymous User During installation, the IIS 5.0 Web and FTP services are assigned a default user account, called IUSR_computername, for anonymous users. Do not make this account a member of any privileged group.
IIS Admin Service Do not give the IIS Admin Service the right to log on as the LocalSystem account.
Test It’s a good idea to create a Test group account to which you can give enlarged access permissions, such as Write or Execute, needed by application developers and testers.
Full Control Only two accounts should be always given NTFS Full Control permissions: LocalSystem and Administrator. On selected files, you might want to also give full control to Owner/Creator.