Securing Your IIS Log File Folder
It is recommended that you secure access to your IIS log file directory. IIS log files contain sensitive information such as the following:
- File names
- Directory paths
- Cookies
Note
- Sites that use cookies store encrypted cookies containing userIds in the log files.
By default, IIS log files are stored in the <drive>:\WINNT\system32\LogFiles\W3SVC# folder on the computer running IIS, where <drive> is the drive partition where Windows is installed, and # is the number of the site. For example, the default location of the log file folder for the default Web site where Windows is installed on drive C: would be as follows:
C:\WINNT\system32\LogFiles\W3SVC1
To secure the IIS Web Log folder
It is recommended that you set NTFS security permissions on the <drive>:\WINNT\system32\LogFiles folder. Setting security permissions on this folder protects log files for all sites on your Web server.
- Using Windows Explorer, navigate to the <drive>:\WINNT\system32\LogFiles folder on your IIS server.
- Right-click the LogFiles folder, and then click Properties.
- In the LogFiles Properties dialog box, click the Security tab.
- On the Security tab, clear the Allow inheritable permissions from parent to propagate to this object checkbox.
- In the Security dialog box, click CopyIn the Name box, click CREATOR OWNER and then click Remove.
- In the Name box, click Power Users and then click Remove.
- In the Name box, click Users (<Server name>\Users), and then click Remove.
Note
- The remaining users in the Name box should be Administrators (<Server name>\Administrators) and SYSTEM, both of which are granted Full Control permissions to this folder. This is the recommended security setting for this folder.
- In the LogFiles Properties dialog box, click OK.
For more information about setting NTFS security on files and folders, search for the keyword "NTFS" in Windows 2000 Help.
Copyright © 2005 Microsoft Corporation.All rights reserved.