Setting directory permissions for user group IIS_IUSRS

By Stephen Kellett
12 April, 2023

If you’re working with IIS there is a high likelihood that at some point you’ll want to write data to a log file and/or enable permissions for DLLs and or executables to run in a specific directory. 

To enable executables to run you’ll need to modify the CGI/ISAPI restrictions as described in Setting up ISAPI on IIS 10.0.

For both writing files and running executable code you also need to modify the file permissions for user group IIS_IUSRS. 

How to correctly set permissions for IIS_IUSRS

I’ve witnessed quite a bit of confusion as to how modifying the user permissions should be done – many people don’t add the rights for IIS_IUSRS but instead, add the rights for the global user Everyone or for themselves. This punches a huge hole in your webserver’s security. It is far better and far safer just to modify the permissions for just the required user on just the directory you’re working with.

To show you how to do this I’ve created a video of the process and a step by step set of instructions.

Step by step instructions

  1. Right click on the directory that you want to change the permissions. A context menu is displayed. Choose Properties….

    Windows Explorer context menu Permissions

  2. The directory Properties dialog is displayed.

    IIS Directory Properties dialog

  3. Select the Security tab.

    IIS Properties dialog Security tab

  4. Click Edit…. The Permissions for <directory-name> dialog is displayed.

    IIS permissions for directory dialog

  5. Click Add…. The Select Users or Group dialog is displayed.

    IIS Permissions Select user or group dialog

  6. Type the IIS users group name IIS_IUSRS into the edit field then click Check Names. Windows will validate the group name (or user name if you’re specifying a user) then display the name in the edit field with an underline.

    IIS Permissions user group IIS_IUSRS

  7. Click OK to accept this user group name. The Permissions for <directory-name> dialog is updated.

    IIS Permissions for a directory dialog with IIS_IUSRS

  8. Scroll down the list of permissions and ensure that the execute and write permissions are enabled.
  9. Click OK.  At this point you may get some errors as the contents of the directory are enumerated – some of them may not update to the appropriate permissions. That’s OK because we’re interested in updating the permissions of the directory itself (so that we can write log files or execute ISAPI DLLs etc), we’re not interested in updating the permissions of the contents of the directory. If you get any warning dialogs click Continue to dismiss the warnings.

    IIS Permissions warning dialog

  10. The Security tab is updated to include the new IIS_IUSRS group and it’s permissions. Click OK to accept the new values.

    IIS Permissions security tab user group IIS_IUSRS

You have successfully updated the permissions for a directory for user group IIS_IUSRS.

 

Fully functional, free for 30 days