I have the good fortune of moving a few websites to a new W2K3 Server and am thinking about security. Specifically, security for a site folder access. IIS site setup is such a basic issue, and most of us have been doing it for years. But I wanted to tighten security as much as possible and to solicit any suggestions for improvement. (I have also seen a lot of associates do it way wrong. How many sites have we seen setup with Everyone full access to folders?)
So for the new sites I am moving to W2K3, I am no longer giving Everyone read-only access to site folders. Folder access is:
Server\Administrators : full
Domain\Domain Admins : full
Server\Users : read
I like this, too, because the local Server\Users account contains the ASPNET Machine User account as well as the Domain\Domain Users group. This should mean that a site with only NT Authentication supported (anonymous access turned off), is accessible to domain users only.
Before the clamor begins, I am NOT proposing this as a Best Practice. I'm passing along what seems to work best for me and welcome suggestions for improvement. Like I said, this is pretty basic stuff, so I'm sure there are a number of good approaches to site security out there.