IIS Server Security - How do I reset ACL of C:\Inetpub\wwwroot

Author

How do I reset ACL of C:\Inetpub\wwwroot

Gaetan

2006-01-20, 2:50 am

For a long time, I experienced random problems with Microsoft IE Web Controls. Most of the
time, I managed to get the Tree View and Tab Strip to work again after they mysteriously
stopped working.

Unfortunately, IE Web Controls seems to have stopped working for good on my IIS 6.0
server. I tried many time to re-install web controls and alter the ACL of
C:\Inetpub\wwwroot. Right now,I have Everyone with Change access to just about every IIS
file/folders and web sites (it is a test environment).

Before I try the next step which is re-install of IIS, I would like to reset the NTFS
permissions to their original values. Is there a IIS tool which would allow me to do that?

thanks.

Yuan Ren[MSFT]

2006-01-20, 2:50 am

Hi Rainer,

Thanks for posting!

For your issue, as far as I know, there are no specific tools to reset the
ACL for IIS web folder. Since the ACL setting is not dependent on the IIS
but on the OS, reinstalling the IIS can not reset the ACL.

From the above information, you should reset all the ACL settings for each
folder manually. There is a convenient way to do this job is by writing all
settings in a batch file and running it once. But the content of the file
needs to be written manually.

I appreciate your understanding, if you have any issues or concerns please
let me know. I will be happy to be of further assistance.

Regards,

Yuan Ren [MSFT]
Microsoft Online Support

David Wang [Msft]

2006-01-20, 8:13 am

FYI: This is why you do not troubleshoot by simply changing ACLs -- because
no tool will reset them back to "normal". Please read the following blog
entry on troubleshooting basics and techniques.

http://blogs.msdn.com/david.wang/ar...leshooting.aspx

In particular, if you suspected NTFS ACL issues, you just needed to run
FileMon from sysinternals.com to observe what user account was denied access
to what directory and file and then just make the necessary change -- which
is far more direct than guessing and changing ACLs wholesale with no hope of
reseting their value back to normal.

--
//David
IIS
http://blogs.msdn.com/David.Wang
This posting is provided "AS IS" with no warranties, and confers no rights.
//

"Gaetan" <someone@somewhere.com> wrote in message
news:c2p0t1tckuve3b4rv507t65ha52jov8l83@
4ax.com...
> For a long time, I experienced random problems with Microsoft IE Web
> Controls. Most of the
> time, I managed to get the Tree View and Tab Strip to work again after
> they mysteriously
> stopped working.
>
> Unfortunately, IE Web Controls seems to have stopped working for good on
> my IIS 6.0
> server. I tried many time to re-install web controls and alter the ACL of
> C:\Inetpub\wwwroot. Right now,I have Everyone with Change access to just
> about every IIS
> file/folders and web sites (it is a test environment).
>
> Before I try the next step which is re-install of IIS, I would like to
> reset the NTFS
> permissions to their original values. Is there a IIS tool which would
> allow me to do that?
>
> thanks.

Bob

2006-01-20, 8:49 pm

On Fri, 20 Jan 2006 01:21:28 -0800, "David Wang [Msft]"
<someone@online.microsoft.com> wrote:

>FYI: This is why you do not troubleshoot by simply changing ACLs -- because
>no tool will reset them back to "normal".

In other words, it's so friggin complicated at this point that even MS
can't help you figure out what priv's should be set on a particular
machine. :-)

David Wang [Msft]

2006-01-21, 7:49 am

Hmm... the complexity is irrelevant.

Troubleshooting by making random changes simply is not a good idea, on
computers or real life. As I note in my blog entry -- the point of
troubleshooting is not to quickly make correcting changes but rather make
correct changes quickly.

If I was ill and my doctor gave me 10 different prescriptions to try, I
consider that malpractice. The point is for the doctor to do diagnosis and
determine the 1-2 necessary prescription to address the illness. And if they
can't figure it out, point me to someone who can -- don't fool around with
my time and health by pretending.

Yet when it comes to computers, people are strangely willing to try all
those prescriptions and assume that there is a "reset" switch somewhere.
Sorry, life doesn't come with a reset switch... ;-)

--
//David
IIS
http://blogs.msdn.com/David.Wang
This posting is provided "AS IS" with no warranties, and confers no rights.
//

"Bob" <uctraing@ultranet.com> wrote in message
news:mh53t1t332r075h8emnl1ldtfpc88b84j5@
4ax.com...
> On Fri, 20 Jan 2006 01:21:28 -0800, "David Wang [Msft]"
> <someone@online.microsoft.com> wrote:
>
>
> In other words, it's so friggin complicated at this point that even MS
> can't help you figure out what priv's should be set on a particular
> machine. :-)
>
>

Bob

2006-01-22, 6:10 pm

On Sat, 21 Jan 2006 01:09:40 -0800, "David Wang [Msft]"
<someone@online.microsoft.com> wrote:

>Hmm... the complexity is irrelevant.
>
>Troubleshooting by making random changes simply is not a good idea, on
<snip>
>
>Yet when it comes to computers, people are strangely willing to try all
>those prescriptions and assume that there is a "reset" switch somewhere.
>Sorry, life doesn't come with a reset switch... ;-)

Agreed, the complexity may be irrelevant to your general suggestion
that the shotgun approach of applying priv's is not the best approach
to solving all IIS problems.

However, , the OP posted a question about resetting privs so it is
relevant to the thread. IIS privs seem to be ridiculously complex now,
as evidenced by the fact that it is highly improbable that you can
figure out what priv's the IIS has/should have on a particular
machine.

MS needs to do some serious coding to provide an "analyze and reset"
facility. Most of the problem is due to the spaghetti like
architecture of MS Windows. Until they fix that (unlikely soon) the
problems will persist. Me, I'd settle for a useable IIS/Priv
description and repair program right now.