Recently I was asked about the default permissions for IIS 7.0 and 7.5 so I start doing some digging and testing.
You might ask why is this important? Well if someone changes the permissions or a policy is applied to your server it will be extremely important to have a good idea of what has been changed. This is a good starting point.The information below is what I came up with so far.
IIS 7.0/IIS 7.5 Default Permissions
Currently there is no article outlining the default permissions for IIS 7.0 and 7.5 however I have put together the following guidelines for your reference.
- If you install Windows 2008 (not R2) by default it will install IIS 7.0 and you have to download the Webdav components.
- If you install Windows 2008 R2(R2 rocks) by default it will install IIS 7.5 and Webdav is part of Server Manager Roles(you just enabled it)
- I have some advisory information on WebDav for future installed. I provided my blog link that talks about WebDav in one of my previous blog posting http://blogs.msdn.com/rodneyj/archive/2009/05/18/client-install-fails-when-connecting-to-windows-2008.aspx
New IIS Accounts :
· IIS_IUSRS (a new built-in group), as it replaces IIS_WPG and is already granted the minimum rights required to start up a worker process.
· IUSR built in account replaced the IUSR_Machine Name
· Both of these accounts are granted the minimum rights required to start up a worker process.
· Do not modify these accounts.
Understanding the Built-In User and Group Accounts in IIS 7.0
Policies and Security Settings:
I Installed SQL 2008, Windows 2008 R2, Webdav, SCCM 2007 SP2 and highlighted a few changes:
Local Users and Groups
Default Membership is listed below: