IIS 7.5 default permission - is restriction needed?

Posted by Caroline Beltran on Server Fault See other posts from Server Fault or by Caroline Beltran
Published on 2014-06-06T21:53:27Z Indexed on 2014/06/07 3:31 UTC
Read the original article Hit count: 507

Filed under:

I am using IIS 7.5 and I do not need to explicitly specify permissions for my ISAPI application to execute. Additionally, the application can create subdirectories, create and delete files without me specifying permissions.

Since I am using the default permissions, checked to see if web.config was safe from prying eyes over the web, and it can’t be read which is good. My app also creates some .log and .ini files which are also not viewable over the web. I did notice that .txt files are viewable.

I really don’t know how default permissions allow my app to do so much. Is this safe or do I need to lock down? To be honest, I don’t know what accounts to restrict.

App details:

  1. My ISAPI has an ‘allowed’ entry in ISAPI and CGI Restrictions
  2. Folder and subfolders containing my application has ‘default’ permissions set.
  3. Application pool is using ‘classic’ pipeline mode and no managed code.
  4. Pass-through authentication in use.

Thank you for your time

© Server Fault or respective owner

Related posts about iis7.5