Setting file system authorizations

The Microsoft IIS web server and the ITP/OnLine web application perform some tasks under special system user accounts. These system user accounts should already exist on the system. For correct operation of ITP/OnLine ASP.NET, these user accounts should be granted certain permissions for the ITP/OnLine virtual directory and the ITP/OnLine applications folder. These permissions should be configured manually by the operator after the initial installation of ITP/OnLine ASP.NET has completed. For security reasons it is also advisable to remove permissions for certain groups of users from these folders.

The following tables show which authorizations should be set for each folder for a specific OS. Take note of the following:

• All account and group names are machine local user accounts and groups.
• Accounts not listed here should not normally be granted access to the folders. Of course, unless there is a good reason to do so.
• If an additional ITP/OnLine administrators group has been created, this group should be granted the same permissions for ITP/OnLine folders as the local Administrators group. Note that the ITP/OnLine administrators group permissions are not listed in the tables below.
• The permissions listed in the tables below include the group Users. These are the users that are allowed to access the web pages of ITP/OnLine for applications where Secure Mode is disabled. In some cases the set of allowed ITP/OnLine users should not be the same as the local users of the server. In such situations it is possible to create a user group for the ITP/OnLine users, similar to the ITP/OnLine administrators group described earlier. When such an ITP/OnLine users group is used, the permissions granted to the group Users in the tables below should be granted to the ITP/OnLine users group instead, and the group Users should not be granted any permissions.
• Before setting permissions for these folders using the dialog Properties in Windows Explorer, you must always do the following, for each of these folders:
  • In the tab Security of the dialog Properties, click the button Advanced to open the dialog Advanced Security Settings. Close this dialog before setting the permissions.
  • In the tab Permissions, disable the option Inherit from parent the permission entries that apply to child objects. Include these with entries explicitly defined here. Make sure you select Copy from the dialog that pops up after disabling this option. This ensures that you set the permissions for the folders exactly as mentioned below, and that they do not include permissions inherited from the parent folder.

Microsoft Windows Server 2003
Location	Account	Permission type
ITP/OnLine virtual directory	Administrators	Full Control
	IIS_WPG	Read & Execute
	IUSR_<machine name>	Read & Execute
	NETWORK SERVICE	Read & Execute
	Users	Read & Execute
ITP/OnLine public directory	Administrators	Full Control
	IIS_WPG	Read & Execute
	IUSR_<machine name>	Read & Execute
	NETWORK SERVICE	Modify
	Users	Read & Execute
ITP/OnLine applications folder	Administrators	Full Control
	Users	NONE
ITP/OnLine log folder; by default this is the subfolder itplog of the ITP/OnLine applications folder	Administrators	Full Control
	NETWORK SERVICE	Modify
	Users	NONE
ITP/OnLine session data folder; by default this is the subfolder sessiondata of the ITP/OnLine applications folder	Administrators	Full Control
	NETWORK SERVICE	Modify
	Users	NONE

Microsoft Windows Server 2008
Location	Account	Permission type
ITP/OnLine virtual directory	Administrators	Full Control
	IIS_IUSRS	Read & Execute
	IUSR	Read & Execute
	NETWORK SERVICE	Read & Execute
	Users	Read & Execute
ITP/OnLine public directory	Administrators	Full Control
	IIS_IUSRS	Modify
	IUSR	Read & Execute
	NETWORK SERVICE	Modify
	Users	Read & Execute
ITP/OnLine applications folder	Administrators	Full Control
	Users	NONE
ITP/OnLine log folder; by default this is the subfolder itplog of the ITP/OnLine applications folder	Administrators	Full Control
	NETWORK SERVICE	Modify
	Users	NONE
ITP/OnLine session data folder; by default this is the subfolder sessiondata of the ITP/OnLine applications folder	Administrators	Full Control
	NETWORK SERVICE	Modify
	Users	NONE

After setting the permissions on a folder, we advise to verify that the security settings have been applied correctly. This can be done as follows:

1. Open the dialog Properties of the folder and select the tab Security.
2. Click the button Advanced to open the Advanced Security Settings dialog.
3. Select the tab Effective Permissions.
4. Click the button Select and then select a non-privileged user account that has no rights to access the folder. Now verify that this regular user has no effective permissions on the folder, except for folders where the group Users should have been granted permissions. In the latter case, verify that the effective permissions are Read & execute.
5. Then, one by one, check the user accounts and groups that have been explicitly granted a certain level of access. For each user account and group, check that the effective permissions are not broader than those that were configured.