DOCUMENT:Q271071 13-JUN-2001 [iis] TITLE :Minimum NTFS Permissions Required for IIS 5.0 to Work PRODUCT :Internet Information Server PROD/VER::5.0 OPER/SYS: KEYWORDS:kbOSWin2000 ====================================================================== ------------------------------------------------------------------------------- The information in this article applies to: - Microsoft Internet Information Services version 5.0 ------------------------------------------------------------------------------- SYMPTOMS ======== This article lists the minimum NTFS access permissions that are needed for an IIS 5.0 Web site. When IIS is installed, it should already have the proper NTFS access permissions for the default Web site and the default FTP site. There are a number of different folders that need the correct NTFS permissions. Incorrect settings on any one of these can cause one or more of the following errors: In the Web browser: You are not authorized to view this page You do not have permission to view this directory or page using the credentials you supplied. HTTP 401.3 - Access denied by ACL on resource Internet Information Services -or- In the Web browser: Server Application Error The server has encountered an error while loading an application during the processing of your request. Please refer to the event log for more detailed information. Please contact the server administrator for assistance. In the system log: Event Type: Warning Event Source: W3SVC Event Category: None Event ID: 36 Date: 3/5/2001 Time: 9:59:40 AM User: N/A Computer: MACHINE-NAME Description: The server failed to load application '/LM/W3SVC/5/Root'. The error was 'General access denied error'. For additional information specific to this message please visit the Microsoft Online Support site located at: http://www.microsoft.com/contentredirect.asp. Event Type: Error Event Source: DCOM Event Category: None Event ID: 10001 Date: 3/5/2001 Time: 9:59:40 AM User: NT AUTHORITY\SYSTEM Computer: MACHINE-NAME Description: Unable to start a DCOM Server: {99169CB1-A707-11D0-989D-00C04FD919C1} as ./IWAM_MACHINE-NAME. The error: "Access is denied. " Happened while starting this command: C:\WINNT\System32\dllhost.exe /Processid:{3D14228D-FBE1-11D0-995D-00C04FD919C1} -or- In the Web browser: Error: Access is Denied. In the system log: Event Type: Warning Event Source: W3SVC Event Category: None Event ID: 30 Date: 3/5/2001 Time: 10:01:13 AM User: N/A Computer: MACHINE-NAME Description: The server was unable to read the file C:\WINNT\help\iisHelp\common\401-3.htm. The file does not exist. For additional information specific to this message please visit the Microsoft Online Support site located at: http://www.microsoft.com/contentredirect.asp. CAUSE ===== NTFS permissions have been changed from the default settings and are no longer sufficient for IIS 5.0 to run properly. RESOLUTION ========== NOTE: Following the steps in this article restricts permissions so that only Administrators are able to install or run software on the IIS 5.0 computer. After you reset the permissions as specified in this article, it may be necessary to perform a Check Server Extensions task for each Web site through Internet Service Manager. This step is necessary in order for FrontPage clients to be able to connect by using the HTTP protocol. Using Windows Explorer, follow these steps: 1. Reset the entire hard drive to the following: SYSTEM - Full Control ADMINISTRATORS - Full Control To do this, click Advanced and select Reset permissions on all child objects and enable propagation of inheritable permissions. NOTE: You will receive an error message when you attempt to apply permissions to the Pagefile.sys file. Click Continue for this and any similar error messages. 2. For Program Files\Common Files, add Everyone and select Read & Execute, List Folder Contents, and Read. NOTE: Do not clear the Allow inheritable permissions from parent to propagate to this object check box. 3. For Inetpub\Wwwroot, add IUSR_MACHINE and select Read & Execute, List Folder Contents, and Read. NOTE: Do not clear the Allow inheritable permissions from parent to propagate to this object check box. 4. In the Winnt\System32 folder, select all folders except Inetsrv and Certsrv if these are present. Open the Properties sheet for these folders and clear Allow inheritable permissions from parent to propagate to this object. In the dialog box that appears, click Copy. Click OK to exit the Properties sheet. 5. In the Winnt folder, select all folders except Downloaded Program Files, Help, IIS Temporary Compressed Files, Offline Web Pages, System32, Tasks, Temp, and Web. Open the Properties sheet for these folders and clear Allow inheritable permissions from parent to propagate to this object. In the dialog box that appears, click Copy. Click OK to exit the Properties sheet. 6. For Winnt, add Everyone and select Read & Execute, List Folder Contents, and Read. NOTE: Do not clear the Allow inheritable permissions from parent to propagate to this object check box. 7. For Winnt\Temp (this allows Access databases to be viewed on ASP pages), select the Everyone group (this group should already be present by inheriting from the Winnt folder) and select Modify. MORE INFORMATION ================ Although permissions can be specialized to fit each system administrator?s needs, it is best that you use the Everyone group instead of the IUSR_MACHINE account: The Everyone group encompasses the Users group, the IUSR_MACHINE account, and the IWAM_MACHINE account. IIS 5.0 uses two separate accounts to execute Web pages. When anonymous authentication is used, IIS uses the IUSR_MACHINE account to view those pages. However, IWAM_MACHINE is used to start up a separate process called Dllhost.exe. All Active Server Pages (ASP), Component Object Model (COM) components, or other ISAPI extensions (ASP is considered an ISAPI extension) are run inside the Dllhost.exe process. This is primarily for stability purposes. If a custom COM component that is called from an ASP page crashes (that is, causes an access violation that stops the process), it does not affect Inetinfo.exe, so the Web service continues to run. The two protection levels in IIS 4.0 are as follows: - Default: IIS 4.0 runs all applications in-process (that is, inside the Inetinfo.exe process), which is started up by the SYSTEM account. When Web pages are viewed, the particular thread that is serving the page is run under the context of the IUSR_MACHINE account. HTM, ASP and any other ISAPI extensions are run inside the Inetinfo.exe process. - Run in Separate Memory Space (Isolated Process): This is also known as out-of-process. This uses the IWAM_MACHINE account to spawn a separate Mtx.exe process that runs ASP and other ISAPI extensions. The three protection levels in IIS 5.0 are as follows: - Low (IIS Process): This setting is similar to the default setting under IIS 4.0. All Web pages, whether HTM or ASP, are run inside the Inetinfo.exe process. - Medium (Pooled): This is the default. As with IIS 4.0, this setting starts a separate process called Dllhost.exe in which all ASP and COM components are run. This process is started by the IWAM_MACHINE account just as in IIS 4.0. Also, this setting is known as pooled because all Web sites that are running in IIS share this single Dllhost.exe for executing ASP pages. Note that Windows 2000 replaces Mtx.exe with Dllhost.exe. - High (Isolated): This setting starts a dedicated Dllhost.exe process for each Web site or application. If you have 5 Web sites, each set on High protection, you see a total of six Dllhost.exe processes: five Dllhost.exe processes plus one additional Dllhost.exe process that COM+ starts under the System Application. REFERENCES ========== For additional information on how to restore default NTFS permissions for Windows 2000, click the article number below to view the article in the Microsoft Knowledge Base: Q266118 How to Restore the Default NTFS Permissions for Windows 2000 Additional query words: iis 5 NTFS permission ====================================================================== Keywords : kbOSWin2000 Technology : kbiisSearch kbiis500 Version : :5.0 Issue type : kbprb Solution Type : kbpending ============================================================================= THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY. Copyright Microsoft Corporation 2001.