0

Looking at the default security permissions of "wwwroot", I see that "IIS_IUSRS" has multiple permissions : Read&execute/List folder content/Read.
However, when I delete this group, the default website is always working.
Moreover, i already created other websites at the root of inetpub folder without the need to add this group.
So, all my websites work with the following security groups : Creator owner/System/Administrators/Users/TrustedInstaller.

Do I really need to add "IIS_IUSRS" to every website ?
Do I have a security problem if it works without this group ? So, do I need to remove one of the default groups ?

Spilarix
  • 125
  • 5
  • It looks like you're conflating IUSR with IIS_IUSRS. - https://www.iis.net/learn/get-started/planning-for-security/understanding-built-in-user-and-group-accounts-in-iis - https://www.safaribooksonline.com/library/view/professional-microsoft-iis/9781118417379/c14_level1_13.xhtml - http://serverfault.com/questions/179627/how-come-when-i-add-iis-iusrs-rw-access-to-a-folder-it-doesnt-automatically-al – joeqwerty Apr 02 '17 at 16:24
  • @joeqwerty I don't think so but can you be more precise ? I am speaking about IIS_USRS group. – Spilarix Apr 02 '17 at 17:51

1 Answers1

0

No, you don't need IIS_IUSRS to secure a site, you don't need it at all. The reason why your sites still work without it, that the 'Users' group still has permission to it.

To make your sites more secure you would need to remove any permissions to Users and set appropriate permissions for whichever account you are using in IIS.

Before changing security settings, make sure you know what you are doing. Read more about it and test your new settings.

I wrote a bit about IIS file permissions

Peter Hahndorf
  • 13,763
  • 3
  • 37
  • 58