Previous Section Table of Contents Next Section

NTFS and IIS Security

IIS is fully integrated with the Windows operating system, which means it respects and obeys Windows' security constraints. In particular, IIS respects the permissions assigned to files and folders that reside on NTFS-formatted volumes.

TIP

Because FAT (and its variants, like FAT32) doesn't provide any file-level security, I don't recommend using it to store Web site content. Always store Web site content-especially administrative Web pages-on an NTFS volume.


The bottom line is this: IIS won't allow any user to access a Web page unless that user has at least Read permissions to the Web page file. You can use this to your advantage when you create administrative Web pages. Simply edit the security properties of your Web pages, and ensure that only authorized users have Read access. Remove the Everyone group, for example, and add the Domain Admins group. Doing so forces IIS to authenticate any user requesting the page-even if anonymous access is enabled-and prevents unauthorized access.

    Previous Section Table of Contents Next Section