IIS IUSRS and IUSR permissions in IIS8

Question

I ve just moved away from IIS6 on Win2003 to IIS8 on Win2012 for hosting ASP NET applications   Within one particular folder in my application I need to Create  amp  Delete files   After copying the files to the new server  I kept seeing the following errors when I tried to delete files      Access to the path  D  WebSites myapp co uk companydata filename pdf  is denied    When I check IIS I see that the application is running under the DefaultAppPool account  however  I never set up Windows permissions on this folder to include IIS AppPool DefaultAppPool  Instead  to stop screaming customers I granted the following permissions on the folder   IUSR   Read  amp  Execute List Folder Contents Read Write   IIS IUSRS   Modify Read  amp  Execute List Folder Contents Read Write   This seems to have worked  but I am concerned that too many privileges have been set   I ve read conflicting information online about whether IUSR is actually needed at all here   Can anyone clarify which users permissions would suffice to Create and Delete documents on this folder please   Also  is IUSR part of the IIS IUSRS group   Update  amp  Solution  Please see my answer below   I ve had to do this sadly as some recent suggestions were not well thought out  or even safe  IMO

User · Accepted Answer

I hate to post my own answer  but some answers recently have ignored the solution I posted in my own question  suggesting approaches that are nothing short of foolhardy   In short - you do not need to edit any Windows user account privileges at all   Doing so only introduces risk   The process is entirely managed in IIS using inherited privileges   Applying Modify Write Permissions to the Correct User Account   Right-click the domain when it appears under the Sites list  and choose Edit Permissions    Under the Security tab  you will see MACHINE NAME IIS IUSRS is listed   This means that IIS automatically has read-only permission on the directory  e g  to run ASP Net in the site    You do not need to edit this entry    Click the Edit button  then Add    In the text box  type IIS AppPool MyApplicationPoolName  substituting MyApplicationPoolName with your domain name or whatever application pool is accessing your site  e g  IIS AppPool mydomain com   Press the Check Names button   The text you typed will transform  notice the underline     Press OK to add the user With the new user  your domain  selected  now you can safely provide any Modify or Write permissions

User · Answer

EvilDr You can create an IUSR  identifier  account within your AD environment and let the particular application pool run under that IUSR  identifier  account    Application pool     Advanced Settings     Identity     Custom account   Set your website to  Applicaton user  pass-through authentication   and not  Specific user   in the Advanced Settings   Now give that IUSR  identifier  the appropriate NTFS permissions on files and folders  for example  modify on companydata

User · Answer

IIS IUSRS group has prominence only if you are using ApplicationPool Identity  Even though you have this group looks empty at run time IIS adds to this group to run a worker process according to microsoft literature

User · Answer

When I added IIS IUSRS permission to site folder - resources  like js and css  still were unaccessible  error 401  forbidden   However  when I added IUSR - it became ok  So for sure  you CANNOT remove the permissions for IUSR without worrying   dear  Travis G

User · Answer

I would use specific user  and NOT Application user   Then I will enable impersonation in the application  Once you do that whatever account is set as the specific user  those credentials would used to access local resources on that server  Not for external resources     Specific User setting is specifically meant for accessing local resources

User · Answer

IUSR is part of IIS IUSER group so i guess you can remove the permissions for IUSR without worrying  Further Reading  However  a problem arose over time as more and more Windows system services started to run as NETWORKSERVICE  This is because services running as NETWORKSERVICE can tamper with other services that run under the same identity  Because IIS worker processes run third-party code by default  Classic ASP  ASP NET  PHP code   it was time to isolate IIS worker processes from other Windows system services and run IIS worker processes under unique identities  The Windows operating system provides a feature called  Virtual Accounts  that allows IIS to create unique identities for each of its Application Pools  DefaultAppPool is the by default pool that is assigned to all  Application Pool you create    To make it more secure you can change the IIS DefaultAppPool Identity to ApplicationPoolIdentity    Regarding permission  Create and Delete summarizes all the rights that can be given  So whatever you have assigned to the IIS USERS group is that they will require  Nothing more  nothing less    hope this helps

[iis] IIS_IUSRS and IUSR permissions in IIS8

Applying Modify/Write Permissions to the Correct User Account

Examples related to iis

Examples related to permissions

Examples related to asp.net-4.5

Examples related to windows-server-2012

Examples related to iis-8