iis security: I moved web server (from Server 2003 Standard to Server 2003 Web
Edition).

I noticed that permissions hasve changed some under IIS. My asp page
uses FileSystemObject to write file. My old server, this worked fine.

I have verified that WRITE permission is enabled under IIS. But, Under
PERMISSIONS, I noticed that I_USR is missing. When I add it, my WRITE
command works. On my old server, the I_USR shows that it's inheriting
rights from the parent. What would be the parent directory under IIS? I
looked under Windows Explorer and the main directory does not have
I_USR. Ideas??

http://blogs.msdn.com/david.wang/archive/2005/08/20/Why_can_I_upload_a_file_without_IIS_Write_Permission.aspx

Write permission in IIS has no bearing on FileSystemObject being able to
Write a file. As the blog describes, they are two separate concepts that
users frequently mix up.

So, all you did was enable WebDAV. Fortunately, WebDAV is disabled by
default in Web Service Extensions. Whew; IIS6's defense in depth just saved
you from your mistake.

As for "missing IUSR" -- IIS never gives NTFS WRITE permission to IUSR, so
you are basically asking why a custom configuration on your old server was
not present on the new server. I can only point at the man in the mirror for
this misconfiguration.

There are no ACL differences between Windows Server 2003 Standard and
Windows Server 2003 Web. It's the same IIS6 binaries. Any difference you
observe is either user-initiated or inherited from an upgrade. Maybe your
Windows Server 2003 Standard server was an upgrade from NT4 or Windows
2000 -- upgrades will preserve old crusty ACLs. I always clean install and
then migrate sites for the best possible experience. IIS6 security settings
are different between Upgrade and Clean install, with Clean install the most
secure.

--
//David
IIS
http://blogs.msdn.com/David.Wang
This posting is provided "AS IS" with no warranties, and confers no rights.
//

[quoted text, click to view]

So, please help me out here please so I do this the right way. I have a
script where people can create a website test drive. It takes a folder
online, copies it to a new location with a new folder name, and then
writes a "custom" file with that users information into that new
directory. It now errors on creating the new file.

Where do I need to give WRITE permissions so that this can be done
on-the-fly? On my old server, each of these newly created folder had
WRITE access given to the IUSR account. It states the permission was
inherited from C:\, but I do not see it there. I cannot figure out
where it's inheriting it from.

On the new server, IUSR does not show under the SECURITY list, and
cannot write a file to this folder.

Thanks!

Your question concerns Windows Security/NTFS ACL and not IIS - I recommend
you rephrase your question in those newsgroups (microsoft.public.security)
to get an understanding of what you are trying to do and then do it
yourself.

Unfortunately, I cannot help you do it the right way because:
1. I cannot take responsibility for how your custom provisioning code works
2. You are relying on custom ACL configuration not setup by IIS
3. You need to know what you are setting up

--
//David
IIS
http://blogs.msdn.com/David.Wang
This posting is provided "AS IS" with no warranties, and confers no rights.
//

[quoted text, click to view]