Learn how to configure iis_iusrs in IIS. Our IIS Support team is here to help you with your questions and concerns.

How to Configure IIS_IUSRS in IIS

Managing user permissions in IIS can seem daunting, but it is easy once we know the steps. Our experts have put together this guide to help you safely apply modify or write permissions without touching Windows user account privileges.

Applying Modify/Write Permissions to An IIS Application Pool

1. First, open IIS Manager and right-click the domain under the Sites list.
2. Then, select Edit Permissions.
3. Now, head to the Security tab to see `MACHINE_NAME\IIS_IUSRS` listed. As this account already has read-only access, no changes are needed here.
4. Now, click Edit and then Add. At this point, enter the following in the text box:

   IIS AppPool\MyApplicationPoolName

   Remember to replace MyApplicationPoolName with the application pool name.
5. Next, click Check Names. This will validate the name, then press OK.
6. Then, with the application pool selected, assign the modify or write permissions.
7. As ‘IUSR` is part of `IIS_IUSRS`, we can opt to safely remove separate `IUSR` permissions.

Boosting Security with Unique Identities

Windows uses “Virtual Accounts” to give each IIS application pool a unique identity. This is more secure because it isolates our application processes. Let’s take a look at how to configure it:

1. First, go to the application pool in IIS Manager.
2. Then, head to Advanced Settings, find Identity and change it to ApplicationPoolIdentity.
3. Now, we can create a custom account (`IUSR_[identifier]`) within our Active Directory (AD) environment.
4. We have to assign this account in the application pool under Identity > Custom account > Advanced Settings.
5. Then, give this account the needed NTFS permissions on our files and folders.

Common Pitfalls and Solutions

A common pitfall is granting permissions to everyone or generic users. This can lead to security vulnerabilities. Instead, follow these steps:

1. Modify Directory Permissions:
   1. Right-click the directory we want to change, select Properties, then go to the Security tab.
   2. Then, click Edit, then Add.
   3. Type `IIS_IUSRS` in the text box and click Check Names.
   4. Assign execute and write permissions, then click OK.
2. Handle Permission Errors:

   If we run into errors while updating directory contents, just click Continue. The goal is to update the directory’s permissions, not its contents.
3. Full Control for Specific Applications:

   For applications like Forms Builder that need to create logs:

   1. First, open Windows Explorer and go to the application’s directory.
   2. Right-click, select Properties and go to the Security tab.
   3. Then, select `IIS_IUSRS` and click Advanced.
   4. Now, assign Full control permissions and click OK.

With these steps, we can securely manage IIS permissions without the risk of altering Windows user account settings.

[Need assistance with a different issue? Our team is available 24/7.]

Conclusion

In brief, our Support Experts demonstrated how to configure iis_iusrs in IIS.