{"id":125,"date":"2017-02-21T17:09:07","date_gmt":"2017-02-21T06:09:07","guid":{"rendered":"https:\/\/www.aspireweb.com.au\/blog\/?p=125"},"modified":"2017-02-21T20:53:37","modified_gmt":"2017-02-21T09:53:37","slug":"php-file-permissions-on-windows-10-iis","status":"publish","type":"post","link":"https:\/\/aspireweb.com.au\/blog\/php-file-permissions-on-windows-10-iis\/","title":{"rendered":"Lock Down PHP File Permissions on Windows 7\/10 and IIS"},"content":{"rendered":"

How do I set up file permissions in Windows for PHP?<\/strong><\/p>\n

When using PHP permissions are\u00a0misunderstood and common response\u00a0is just giving too much access which is a security nightmare!<\/p>\n

This is extremely important when configuring IIS manually on a VPS or Dedicated server, you want each site isolated from each other. This protects your server and other websites if one site is hacked or compromised.<\/p>\n

If you’re just developing locally this isn’t too bad but it’s good practice to always configure it correctly, this will help find errors you may encounter in production but also that we should always be thinking about security.<\/p>\n

Any reputable Windows web host would also be configuring their servers automatically using a control panel to configure secure permissions and website isolation so there is no need to worry about this if your with a shared website host. Most control panels will allow you to change if write permissions are enabled or not, this is a common fix for shared hosts and write permission issues.<\/p>\n

Web development has changed a lot over the years and security is now a big focus point for web developers so while some would like to leave the IIS & Windows configuration to their server admins it’s good to understand and take responsibility.<\/p>\n

It’s not hard to configure and after you’ve done it you’ll feel great knowing that you’re website is substantially more secure so let’s go.<\/p>\n

<\/p>\n

Before we start, this post\u00a0will assume you already have IIS with relevant features and\u00a0PHP installed and working.<\/p>\n

In the image below shows a basic example of how the security model works.
\n\"\"<\/p>\n

Each website runs as a different “user” and that user has access to their website folder. They also both have access to system and PHP files else that user couldn’t execute PHP to run.
\nJust a quick note before continuing, when running on Windows ignore anything that talks about the Linux security like the 770 or 665 flags, these aren’t compatible with Windows.<\/p>\n

 <\/p>\n

So where does this website user come from?<\/strong><\/p>\n

Either you can make a new system user for the purpose of the website or if you are running IIS 7 or higher you can run as a hidden IIS worker user. It’s hidden because you cannot just search for this user, you need to manually type in the name. In this we will be adding the IIS worker user to streamline the process.<\/p>\n

 <\/p>\n

First we need to create a new website with it’s own application pool.<\/p>\n

Fig A<\/p><\/div>\n

If we check this new application pool in the advanced settings we will see that it’s running as the “ApplicationPoolIdentity”.
\n<\/p>\n

Fig B<\/p>\n

Lets go add some permissions<\/strong><\/p>\n

First we need to change\u00a0the permissions to our new website folder.<\/p>\n

Navigate to the folder and open the properties page, go to the security tab and then Advanced.
\nClick “Disable inheritance” and choose “Convert inherited permissions into explicit permissions on this object”.<\/p>\n

Fig C<\/p><\/div>\n

Now that this folder has it’s own permissions (no longer inherited) we need to remove the users group and the IIS_USRS if it exists (Depends where your folder is). There may be other permissions as well but you really should only have System, Administrators, Creator Owner, your login name (not always) and trusted installer left on the folder.<\/p>\n

We now need to add the IIS Application Pool to the folder, so click “Add” and on the next form click “Select a principal”, on this form type in “IIS AppPool\\mynewsite” replacing “mynewsite” with your site application pool name from Fig A. Click “OK” and if you’ve done it right it will fill in the Principal as the Application pool name as per below (1, Fig D).<\/p>\n

Fig D<\/p><\/div>\n

For most sites you will want write and modify permissions so go ahead and tick modify (it will tick write automatically) and then “OK” this form. A couple more “OK”‘s and you’ll have saved the new permissions!<\/p>\n

Well Done, if all goes well you should now be able to browse to your site and confirm it’s working.<\/p>\n

I used a simple PHPinfo file<\/a> to test ours.<\/p>\n

 <\/p>\n

HELP It Didn’t Work!<\/strong><\/p>\n

There are range\u00a0of reasons why this wouldn’t work.<\/p>\n

Here are a few things to try:<\/p>\n