Reputation: 30877
Why "NETWORK SERVICE" doesn't have permission on "C:\inetpub\wwwroot" by default?
I grant permission to NETWORK SERVICE manually to have access to C:\inetpub\wwwroot so ASP.NET can do something like reading and writing local files.
Is there a security reason this permission has not been granted by default ?
Upvotes: 0
Views: 4055
Answers (3)
Reputation: 31630
Per this article on MSDN:
The Network Service account has Read and Execute permissions on the IIS server root folder by default. The IIS server root folder is named Wwwroot. This means that an ASP.NET application deployed inside the root folder already has Read and Execute permissions to its application folders. However, if your ASP.NET application needs to use files or folders in other locations, you must specifically enable access.
Upvotes: 2
Reputation: 499272
It is due to the principle of defence in depth - not giving permissions unless explicitly granted.
Such defaults make for a more secure IIS and operating system.
Several years ago Microsoft went through a very large push towards securing windows by default - this setting is part of that push.
Upvotes: 2
Reputation: 33272
usually on the web server just few folders are allowed to write to avoid potential security holes.
Upvotes: 1
Related Questions
- Asp.net Access To Network Share
- How to set correct file permissions for ASP.NET on IIS
- Granting write permissions to a networked UNC folder for ASP.NET under IIS 7.5 and Windows Server 2008 R2
- Can't create a file in C:\inetpub\wwwroot programmatically
- How to Enable File System Access to Web Service?
- Windows 7 inetpub wwwroot read only
- ASP.NET web service permissions reading file system using machine account
- ASP.NET file system permissions
- IIS service is running as Local System account, so how do I give it shared directory permissions?
- 'NT AUTHORITY\NETWORK SERVICE' not inheritting local group permissions?