IIS_IUSRS and IUSR permissions in IIS8
Solution 1
I hate to post my own answer, but some answers recently have ignored the solution I posted in my own question, suggesting approaches that are nothing short of foolhardy.
In short - you do not need to edit any Windows user account privileges at all. Doing so only introduces risk. The process is entirely managed in IIS using inherited privileges.
Applying Modify/Write Permissions to the Correct User Account
-
Right-click the domain when it appears under the Sites list, and choose Edit Permissions
Under the Security tab, you will see
MACHINE_NAME\IIS_IUSRS
is listed. This means that IIS automatically has read-only permission on the directory (e.g. to run ASP.Net in the site). You do not need to edit this entry. Click the Edit button, then Add...
-
In the text box, type
IIS AppPool\MyApplicationPoolName
, substitutingMyApplicationPoolName
with your domain name or whatever application pool is accessing your site, e.g.IIS AppPool\mydomain.com
-
Press the Check Names button. The text you typed will transform (notice the underline):
Press OK to add the user
-
With the new user (your domain) selected, now you can safely provide any Modify or Write permissions
Solution 2
IUSR
is part of the IIS_IUSER
group, so I guess you can remove the permissions for IUSR
without worrying. Further reading
However, a problem arose over time as more and more Windows system services started to run as NETWORKSERVICE
. This is because services running as NETWORKSERVICE
can tamper with other services that run under the same identity. Because IIS worker processes run third-party code by default (Classic ASP, ASP.NET, PHP code), it was time to isolate IIS worker processes from other Windows system services and run IIS worker processes under unique identities.
The Windows operating system provides a feature called "Virtual Accounts" that allows IIS to create unique identities for each of its Application Pools. DefaultAppPool
is the default pool that is assigned to all Application Pools you create.
To make it more secure you can change the IIS DefaultAppPool
Identity to ApplicationPoolIdentity
.
Regarding permissions, Create and Delete summarize all the rights that can be given. So whatever you have assigned to the IIS_USERS
group is all that they will require.
Solution 3
When I added permissions for IIS_IUSRS
to the site folder, resources like JavaScript and CSS were still inaccessible (error 401, forbidden). However, when I added IUSR
, it started working. So for sure you cannot remove the permissions for IUSR
.
Solution 4
IIS_IUSRS group has prominence only if you are using ApplicationPool Identity. Even though you have this group looks empty at run time IIS adds to this group to run a worker process according to microsoft literature.
Solution 5
@EvilDr You can create an IUSR_[identifier] account within your AD environment and let the particular application pool run under that IUSR_[identifier] account:
"Application pool" > "Advanced Settings" > "Identity" > "Custom account"
Set your website to "Applicaton user (pass-through authentication)" and not "Specific user", in the Advanced Settings.
Now give that IUSR_[identifier] the appropriate NTFS permissions on files and folders, for example: modify on companydata.
Related videos on Youtube
EvilDr
Apparently, this user prefers to scream, "Groovy" at medieval airheads.
Updated on February 10, 2022Comments
-
EvilDr over 2 years
I've just moved away from IIS6 on Win2003 to IIS8 on Win2012 for hosting ASP.NET applications.
Within one particular folder in my application I need to Create & Delete files. After copying the files to the new server, I kept seeing the following errors when I tried to delete files:
Access to the path 'D:\WebSites\myapp.co.uk\companydata\filename.pdf' is denied.
When I check IIS I see that the application is running under the DefaultAppPool account, however, I never set up Windows permissions on this folder to include IIS AppPool\DefaultAppPool
Instead, to stop screaming customers I granted the following permissions on the folder:
IUSR
- Read & Execute
- List Folder Contents
- Read
- Write
IIS_IUSRS
- Modify
- Read & Execute
- List Folder Contents
- Read
- Write
This seems to have worked, but I am concerned that too many privileges have been set. I've read conflicting information online about whether IUSR is actually needed at all here. Can anyone clarify which users/permissions would suffice to Create and Delete documents on this folder please? Also, is IUSR part of the IIS_IUSRS group?
Update & Solution
Please see my answer below. I've had to do this sadly as some recent suggestions were not well thought out, or even safe (IMO).
-
dumbledad over 10 yearsTo get WordPress working on IIS 8 on an Azure virtual machine (Windows Server 2012 Datacenter) I needed to grant the permissions you have listed for IIS_IUSRS to IUSR for the blog directory in inetpub/wwwroot
-
RenniePet about 7 yearsFor those who come to this thread because they're trying to run Joomla under IIS and are having problems with the file security settings, I've written a blog article with what I think is the proper solution. Probably also applicable to WordPress or other PHP-based web server programs. renniestechblog.com/index.php/information/…
-
KyleMit over 6 yearsPossible duplicate of IIS AppPoolIdentity and file system write access permissions
-
Thulasiram over 4 yearsWorking fine after adding full permission for folder for user group IIS_IUSRS.
-
EvilDr over 4 years@Thulasiram but then you've given full privileges to all IIS Users. Think about that from a hacker's perspective. One weak site and they gain total control of all the rest
-
Thulasiram over 4 years@EvilDr Thanks for Information we are changing the permission now... :)
-
EvilDr about 11 yearsThanks but I'm not using AD. Also according to recent MS documentation, IIS 7&8 are already configured to work as you describe. The question really is whether one of the specified accounts is actually needed or not, and which one does the business?
-
Jan Reilink about 11 years@EvilDr Thanks for clarifying you are not using an AD. Well, IIS_IUSRS is not a user, it's a group. Like IIS_WPG on IIS 6.0. You can read about IIS_IUSRS and IUSR here: link. You can set modify permissions on companydata* for the IUSR account and you can add this user to the IIS_IUSRS group and use that useraccount to run your application pool under. You only need to grand permissions for IIS_IUSRS on shared folders (TMP for instance), if you have multiple IUSR_accounts.
-
EvilDr about 11 yearsJan, I always thought that IUSR was part of the IIS_IUSRS group by default? How can you check if this is so, as the IUSR account is a built-in account. Are you saying that I should uncheck Modify for IIS_USRS and check it for IUSR instead? Given the single-application requirement I don't think it will really make a difference will it?
-
Mark Berry over 10 yearsI just installed IIS 8 under Server Essentials 2012 R2. This machine is also a domain controller. In AD Users and Computers, the IIS_IUSRS group is empty--it does not contain the IUSR user. I suppose I could add it to the group, but for anonymous sites, I'll just grant permissions to the IUSR user.
-
ihebiheb over 10 yearsWhen I granted permissions for IUSR it worked. When I granted permissions to IIS_IUSER it did not work.
-
EvilDr almost 10 yearsDon't forget that (if you have IIS7+) the correct solution is to use
IIS AppPool\MyApplicationPoolName
as per my updated answer. You don't need to mess about with IUSR(S) any more! -
Alexander almost 10 yearsI've tried your suggestion, but it does not work. I have removed IUSR(S) from permission and remained only the poolname, app is running under. Resources became unaccessible. IIS 8.5. When I added IUSR - it got working.
-
finejustice over 9 yearsIusr is not a member of IIS_Iusrs. (or windows have a bug) Generally, Windows uses IIS_Iusrs. (executing dynamic pages or accessing static pages) but there is some cases when windows uses Iusr, not IIS_Iusrs. file upload using PHP is one of that case. (and if you granted iis_iusr only, you will meet privilege exception) I think M$ should give "A best-practice" for granting permssion of Iusr and IIS_Iusrs...
-
Rohit Arora almost 9 yearsI think now its changed to Application pool group i.e (IWGP) . I gave permissions to IWGP and it worked .
-
giammin almost 9 yearsIUSR is part of IIS_IUSER. NO IT IS NOT! IUSR is the anonimous user, IIS_IUSER is the group for apppool users
-
Hammad Khan almost 8 yearsperfect answer. In step 2 I saw that IIS_IUSRS did not have read permission, adding that permission immediately fixed my problem.
-
Charles Burns almost 8 yearsThis did not work on my IIS 8.5 server. Adding
IUSR
works. AddingIIS AppPool\Cache
(the name of my application pool) yieldsHTTP Error 401.3 - Unauthorized
-
Jon over 7 years@CharlesBurns I had the same issue, I found this to be my root cause: techras.wordpress.com/2016/03/09/… (anonymous auth was set to use IUSR instead of Application Pool Identity)
-
MikeTeeVee about 7 yearsI had a folder used only as a Virtual Directory and it worked fine up until I shared it (the windows folder it pointed to) with another domain account, so it could view the files over our intranet. When I did this, the files in the Virtual Directory suddenly became unreachable. I ended up having to add both
MyComputerName\IIS_IUSRS
andIUSR
with Read only permissions for it to work again. This is just for Virtual Directories (not .net Apps), but figure someone may find it useful. -
Maicon Lino about 7 yearsSo so so so Thank's ! I search on the all web, various soluctions, but the true soluction, the simple soluction was show by @Jon. I try execute exec() in cmd an external program, but because this propriety of IIS 8 we not can run. But, now, i search que corret question.
-
EvilDr about 7 years@MaiconHerverton - you're welcome. Glad you got it working :-)
-
statler almost 7 yearsJust a note: When you search for the user and the computer is a member of a domain, the IIS AppPool\MyApplicationPoolName may not be found. In my case, I needed to click the Locations button and change the location to the local computer.
-
PeterFnet over 6 yearsCan confirm, statler is correct; when operating on a domain, you must change the location to be the local machine first.
-
Greg about 6 yearsNot sure why this was downvoted. docs.microsoft.com/en-us/iis/get-started/planning-for-security/…
-
Jpsy almost 6 yearsIn my tests the name of the special user to use here has nothing to do with a domain name. It is the name of the Application Pool that is assigned to the site in IIS. This Application Pool may or may not have a name that matches the domain of your website. So the pattern is:
IIS AppPool\[APPLICATION POOL NAME]
. Blanks in the Application Pool name are accepted. Please also note that this user will only be found, if "Built-in security principals" is checked as an object type for the name search (top field in the "Select Users or Groups" dialog). -
Anita Mathew about 5 yearsHi. I tried your solution but when I try to add IIS App Pool\App pool name gives me this : An object named "IIS AppPool\Default Web Site" cannot be found. Check the selected object types and location for accuracy and ensure that you typed the object name correctly, or remove this object from the selection. I replicated each step as mentioned in your answer , but still it wont work?
-
EvilDr about 5 yearsYou need to post your own question with as much information about your situation please.
-
Carnot Antonio Romero about 5 yearsExactly what I needed. And I love the choice of title "Applying Modify/Write Permissions to the Correct User Account" -- leaving no doubt. But like @Jon I also had to make sure anonymous auth was set to run as application pool identity.
-
Mladen B. almost 5 yearsYou could also add a comment about the AppPoolIdentity being set as the Identity for the corresponding application pool (for that domain).
-
xorinzor over 3 years@EvilDRr dotNet code will run as the application pool user (if that's what the identity of the appPool has been configured to use). Otherwise, anonymous requests to (static) resources such as images will be handled via the anonymous authentication of which IUSR is the default identity.
-
David Clarke almost 3 yearsThanks for this - can't believe this is still causing me grief.