Setting directory permissions for user group IIS_IUSRS
If you’re working with IIS there is a high likelihood that at some point you’ll want to write data to a log file and/or enable permissions for DLLs and or executables to run in a specific directory.
To enable executables to run you’ll need to modify the CGI/ISAPI restrictions as described in Setting up ISAPI on IIS 10.0.
For both writing files and running executable code you also need to modify the file permissions for user group IIS_IUSRS.
How to correctly set permissions for IIS_IUSRS
I’ve witnessed quite a bit of confusion as to how modifying the user permissions should be done – many people don’t add the rights for IIS_IUSRS but instead, add the rights for the global user Everyone or for themselves. This punches a huge hole in your webserver’s security. It is far better and far safer just to modify the permissions for just the required user on just the directory you’re working with.
To show you how to do this I’ve created a video of the process and a step by step set of instructions.
Step by step instructions
- Right click on the directory that you want to change the permissions. A context menu is displayed. Choose Properties….
- The directory Properties dialog is displayed.
- Select the Security tab.
- Click Edit…. The Permissions for <directory-name> dialog is displayed.
- Click Add…. The Select Users or Group dialog is displayed.
- Type the IIS users group name IIS_IUSRS into the edit field then click Check Names. Windows will validate the group name (or user name if you’re specifying a user) then display the name in the edit field with an underline.
- Click OK to accept this user group name. The Permissions for <directory-name> dialog is updated.
- Scroll down the list of permissions and ensure that the execute and write permissions are enabled.
- Click OK. At this point you may get some errors as the contents of the directory are enumerated – some of them may not update to the appropriate permissions. That’s OK because we’re interested in updating the permissions of the directory itself (so that we can write log files or execute ISAPI DLLs etc), we’re not interested in updating the permissions of the contents of the directory. If you get any warning dialogs click Continue to dismiss the warnings.
- The Security tab is updated to include the new IIS_IUSRS group and it’s permissions. Click OK to accept the new values.
You have successfully updated the permissions for a directory for user group IIS_IUSRS.