IIS_IUSRS and IUSR permissions in IIS8

Question

I've just moved away from IIS6 on Win2003 to IIS8 on Win2012 for hosting ASP.NET applications.

Within one particular folder in my application I need to Create & Delete files. After copying the files to the new server, I kept seeing the following errors when I tried to delete files:

Access to the path 'D:\WebSites\myapp.co.uk\companydata\filename.pdf' is denied.

When I check IIS I see that the application is running under the DefaultAppPool account, however, I never set up Windows permissions on this folder to include IIS AppPool\DefaultAppPool

Instead, to stop screaming customers I granted the following permissions on the folder:

IUSR

• Read & Execute
• List Folder Contents
• Read
• Write

IIS_IUSRS

• Modify
• Read & Execute
• List Folder Contents
• Read
• Write

This seems to have worked, but I am concerned that too many privileges have been set. I've read conflicting information online about whether IUSR is actually needed at all here. Can anyone clarify which users/permissions would suffice to Create and Delete documents on this folder please? Also, is IUSR part of the IIS_IUSRS group?

Update & Solution

Please see my answer below. I've had to do this sadly as some recent suggestions were not well thought out, or even safe (IMO).

Answer 1

IUSR is part of the IIS_IUSER group, so I guess you can remove the permissions for IUSR without worrying. Further reading

However, a problem arose over time as more and more Windows system services started to run as NETWORKSERVICE. This is because services running as NETWORKSERVICE can tamper with other services that run under the same identity. Because IIS worker processes run third-party code by default (Classic ASP, ASP.NET, PHP code), it was time to isolate IIS worker processes from other Windows system services and run IIS worker processes under unique identities.

The Windows operating system provides a feature called "Virtual Accounts" that allows IIS to create unique identities for each of its Application Pools. DefaultAppPool is the default pool that is assigned to all Application Pools you create.

To make it more secure you can change the IIS DefaultAppPool Identity to ApplicationPoolIdentity.

Regarding permissions, Create and Delete summarize all the rights that can be given. So whatever you have assigned to the IIS_USERS group is all that they will require.

Answer 2

When I added permissions for IIS_IUSRS to the site folder, resources like JavaScript and CSS were still inaccessible (error 401, forbidden). However, when I added IUSR, it started working. So for sure you cannot remove the permissions for IUSR.

Answer 3

@EvilDr You can create an IUSR_[identifier] account within your AD environment and let the particular application pool run under that IUSR_[identifier] account:

"Application pool" > "Advanced Settings" > "Identity" > "Custom account"

Set your website to "Applicaton user (pass-through authentication)" and not "Specific user", in the Advanced Settings.

Now give that IUSR_[identifier] the appropriate NTFS permissions on files and folders, for example: modify on companydata.

Answer 4

IIS_IUSRS group has prominence only if you are using ApplicationPool Identity. Even though you have this group looks empty at run time IIS adds to this group to run a worker process according to microsoft literature.

Answer 5

I would use specific user (and NOT Application user). Then I will enable impersonation in the application. Once you do that whatever account is set as the specific user, those credentials would used to access local resources on that server (Not for external resources).

Specific User setting is specifically meant for accessing local resources.