1

I'm trying to allow the IUSR account access to certain folders. Currently when I do this, it gets the little red arrow (as seen in this question) and although I can see it in the list and it appears to be given access, it doesn't work.

What do I need to do to allow IUSR access?

I've got an AD domain and I have admin access so can change anything.

Community
  • 1
Piers Karsenbarg
  • 538
  • 3
  • 12
  • 24

2 Answers2

4

You should change what account runs the app pool to a domain user that has access to the necessary resources.

MDMarra
  • 100,183
  • 32
  • 195
  • 326
  • Is there anything special that the account needs to be able to do? Does it need to be a domain admin (for example) – Piers Karsenbarg Nov 08 '11 at 11:56
  • No, it just needs access to the file system to serve up pages and whatever other access you want to give it. If it needed to be domain admin or local admin, that would be really really bad. – MDMarra Nov 08 '11 at 11:59
  • 1
    This is the answer but worth noting some additional info: if the iis server is a domain controller, the iusr account will be a domain account. You will also need to set anonymous authentication to use the app pool identity. – Richard Benson Nov 08 '11 at 13:40
  • @RichardBenson Good point. It is, generally speaking, very bad practice to run IIS on a DC, so if you are actually in this situation - be careful. – MDMarra Nov 08 '11 at 13:45
  • IIS isn't on the DC (just for the record) – Piers Karsenbarg Nov 08 '11 at 14:17
  • This is identical to my answer but significantly more succinct so a better answer. – SBWorks Nov 08 '11 at 15:38
-1

If you have and AD domain, try creating a service account with a non-expiring password, use that account inside your IIS to run services, and then give that account access to those folders.

This is the more typical pattern in larger networks. The individual computer IUSR accounts are not useful for access resources.

Here is a nice write up and Adobe:

By default, the IUSR_computername account is included in the Windows user group Guests when IIS is installed on the server. This group has security restrictions, imposed by NTFS permissions, that designate the level of access and the type of content available to public internet users.

SBWorks
  • 289
  • 1
  • 3
  • 12
  • When you say "service account" do you just mean an account that I can use to run services, or is there a specific group that it needs to go in? – Piers Karsenbarg Nov 08 '11 at 11:47
  • An account used to run services. However, on the local server, it needs to be in a local group that has "run as a service" privileges – SBWorks Nov 08 '11 at 12:07
  • 1
    @SBWorks This is terrible advice. You shouldn't run IIS under a service account, you should run the individual application pools as domain accounts to avoid escalation of privilege issues. – MDMarra Nov 08 '11 at 13:44
  • I think we have a terminology miscommunication, @MarkM. In my last two companies "service account" = "domain account dedicated to a particular service" – SBWorks Nov 08 '11 at 15:35
  • @SBWorks That's fine, but your answer hinted at running IIS itself as this account and not the individual app pools. I was making it very clear that this is very bad. – MDMarra Nov 08 '11 at 15:39