What are the IIS 8 required NTFS Permissions?

Question

This questions has been asked, A LOT, but I've yet to figure out a proper solution. I've got a Windows Server 2012 server with of course IIS 8. I'm setting up a very, very, simple website on it with an HTML file that has Hello World in it. On the folder for the website I have the following permissions set up:

• SYSTEM (local account, Full Access)
• Administrators (local group, Full Access)
• FTP (domain account, Full Access)
• NAME_OF_APPPOOL (virtual account, Full Access)

So, with all of these permissions I still get a 401.3 - Unauthorized error from IIS. What am I missing in all of this?

The only thing that's made the website accessible so far was a desperate attempt by putting Everyone with read-only permissions. I think we can all agree that's just dumb as far as security goes...

Update

This is what the Application Pool Identity is set to at the moment.

Answer 1

So, since I was trying to access an HTML page (static content) it appears that IIS doesn't use the AppPool identity for static content... (double-U, T, and F?) So, to make it work you have to add IUSR as referenced here: IIS 8 401.3 with ACL and static content. Anyway, it works now, I'm just sooooo looking forward to the day when I put MVC on that site and it starts failing, again...

Answer 2

Check #5 to make sure the AppPool the site is using is actually set to use the Identity you are adding NTFS permissions for.

Specify an Identity for an Application Pool (IIS 7)

1. Open IIS Manager.
2. In the Connections pane, expand the server node and click Application Pools.
3. On the Application Pools page, select the application pool for which you want to specify an identity, and then click Advanced Settings in the Actions pane.
4. For the Identity property, click the ... button to open the Application Pool Identity dialog box.
5. If you want to use a built-in account, select the Built-in account option and select an account from the list.