Microsoft has made some unfortunate naming blunders in the past — unfortunate in that they have become standards even though they don’t make sense. One of these is the Windows security group Everyone. It sure sounds, from the name at least, that this group is composed of every account on the server. After all, shouldn’t Everyone really mean every one?
Not to Microsoft. Originally, this security group, along with the account Guest, was pretty useful. It didn’t include every account, but it did include every account you would normally want to grant access to. Fortunately with the Guest account, Microsoft saw the error of its ways and just stopped using the account, to the point of disabling it by default, but not to the point of eliminating it entirely. Not so with the Everyone group. That little bugger is still around to, well, bug us.
There are significant accounts that don’t belong to the security group Everyone, and really shouldn’t belong to that group. One in particular causes no end of confusion for ASP.NET developers and aspiring Windows or IIS administrators. That’s the ASP.NET process account. By default this account is NT AUTHORITY/NETWORK SERVICE in Windows Server 2003 and Vista (and newer operating systems such as Server 2008 and Windows 7). And frequently, this account needs access to files/folders through Windows NTFS permissions.
The problem for many developers and other users who aren’t well-versed in Windows security, is that the first indication that this account needs access is a generic “Access Denied” error. The confused developer, thrust into the role of server manager, grants access to one account after another, resulting in the same error, and out of frustration grants access to the Everyone group. That still results in the same aggravating error because, unbeknownst to the developer, the account that needs access — the ASP.NET process account — isn’t in that group. Even though, through an unfortunate choice of names by Microsoft, it really sounds like it should be.
The solution to this is not to add the NETWORK SERVICE account to the Everyone group, or worse, make it a member of the Local Administrators group. The NETWORK SERVICE account is a restricted account on purpose, and should stay that way. The solution is to add the necessary file/folder access for the specific account, NETWORK SERVICE, that needs this access.
But we’re not going to go into detail on how to do this. This blog isn’t the place to teach you Windows NTFS permissions, you can easily find that information elsewhere, and frankly, we just don’t have the room. While you’re at it, remove the permissions you granted to the Everyone group. After all, it didn’t work, did it? Leaving that unwanted access intact is a security hole you don’t want to have to explain after North Korean hackers just downloaded all your clients’ credit card numbers.
By the way, there is a great little tool for figuring out what accounts are being denied access to what files. This is FileMon, from Systernals, now owned by Microsoft. For full details, see the TechNet page.
Messing with NTFS permissions can break your server. If it does, it’s your own fault for foolishly following advice you got over the Internet. If you aren’t sure of what you’re doing, find a qualified professional to do it for you. And while you’re at it, stop running with scissors.