Set NTFS permissions (Windows version)

AJS 5.x

Manual

Note! This Manual is for the "Windows authentication" version, which is designed to work with existing Windows server or Active Directory accounts and Windows authentication. If you want to create accounts by yourself and store their credentials in your own HTTP Commander XML database, you need to download the "Forms authentication" version! This Manual is for the Windows authentication version only!

Web file manager

Free Installation assistance

Manual Home page

NTFS permissions

This section describes how to set up NTFS permissions on HTTP Commander data files and on user data folders.

Note 1! You can view how to set up NTFS permissions at installation screencast (video) (Recommended)!

Note 2! Instead of inspecting NTFS permissions manually, you may make use of our automatic diagnostic page "http://localhost/HTCOMNET/Diagnostics.aspx". It identifies places requiring your attention, that is, it highlights folders and files that provide insufficient access to particular windows accounts.

If you want to check NTFS permissions manually then see information below:

Application pool identity
First, you need to know which identity the application runs under. In Windows 2008 R2 SP1 IIS 7.5, 2012 IIS 8, 2012 R2 IIS 8.5, 2016 IIS 10 (64 bit) the default application pool identity is "IIS APPPOOL\DefaultAppPool" (for applications using default application pool). In general case, the default identity is "IIS APPPOOL\PoolName". Here the PoolName should be replaced with the actual pool name.
Note! In our video tutorial for IIS 7.5, 8, 8.5, 10 HTTP Commander runs under the "IIS APPPOOL\htcomnetpool" security identity. If you are not sure of the identity name, then check application settings in IIS console:
- Open IIS console: Control panel → Administrative tools → Internet Information Services (IIS) Manager → Expand "Default web site"
- Click the Application Pools node. Check the "DefaultAppPool" pool identity (provided the application was assigned to default pool). Most values stand for themselves: LocalService, LocalSystem, NetworkService mean that the application pool runs under the respective identity. ApplicationPoolIdetity is a special value meaning that the application pool uses "IIS APPPOOL\PoolName" identity. Here the PoolName should be replaced with the actual pool name. Other identity value means that a custom account was used to run the application pool.
  Screenshot
If you are still not sure which identity the application works under.
- open http://localhost/HTCOMNET/Diagnostics.aspx in a web browser and look at the "Application identity" value;
- open Windows Task Manager, find the "w3wp.exe" process corresponding to your application, and look at the user name column of the table.
If you use a custom service account as the application pool identity, do not forget to properly configure that account. You must configure the account by running the Aspnet_regiis.exe utility with the -ga switch. One of symptoms that the service account is not configured is NTFS permission problems with the %WINDIR%\Microsoft.NET\Framework[64]\v4.0.30319\Temporary ASP.NET Files folder. For more details see the MSDN article How To: Create a Service Account for an ASP.NET 2.0 Application. Although the above article applies to IIS 6, the same requirements are valid for IIS 7 and above.
Anonymous user
By default it is IUSR in Windows 2008, 2012, 2016. If you are not sure of the identity name, then check application settings in IIS console:
- Open IIS console: Control panel → Administrative tools → Internet Information Services (IIS) Manager → Expand "Default web site"
- Select HTTP Commander application, open Authentication feature, select Anonymous authentication item, click Edit on the Action pane, inspect the identity used for anonymous user in the Edit anonymous authentication credentials dialog. Anonymous user may be either a specific user or application pool identity.
End-user account
The Windows authentication and "Forms with Windows Users" version of HTTP Commander uses impersonation. That means that end-user accounts should be assigned permissions to specific files and directories. End-user account means a windows account of a user who uses HTTP Commander, including normal users and administrators. You will need to assign permissions for end-users to some files and folders as described below.
Use icacls command line utility to assign NTFS permissions.
You need to execute a command like the following:
icacls "Path\To\Folder" /grant "IIS APPPOOL\DefaultAppPool:(OI)(CI)(RX)"
This command assigns NTFS permissions for "IIS APPPOOL\DefaultAppPool" identity to the "Path\To\Folder" folder or file. This command adds Read permissions.
Note Once the identity is added to the ACL of the folder, you may use standard Windows GUI to manage the identity permissions.
Temporary folder

HTTP Commander uses a temporary folder to store temporary files, such as thumbnails, intermediary video files created in video conversion process, zip files for download, and other. The temporary folder configured in the TemporaryFolder parameter and by default is used "%WINDIR%\Temp", or it may be "%USERPROFILE%\AppData\Local\Temp" if the application pool is configured to load the user profile. The user refered here is the application pool identity user. For example, if the application pool is named HttpCommanderPool, the temporary directory may be "C:\Users\HttpCommanderPool\AppData\Local\Temp". Location of the temporary directory depends on the value of TEMP system and user environment variables. To be certain of the location of the temporary folder, refer to the Diagnostics.aspx page in HTTP Commander.

A system-wide temporary folder ("%WINDIR%\Temp") by default provides necessary access to Administrators and System, but not to normal users. A user-specific folder allows access only to the respective user. HTTP Commander requires write access to the temporary folder for application pool account and end-user accounts in Windows version. The result is the default access is inappropriate. The simplest solution is to configure Modify NTFS permission for all required users. This choice, however, creates security vulnerability, users may read and overwrite each other's files. NTFS permissions allow that. A more secure solution is to configure NTFS permissions as follows. Assign Full Control to CREATOR OWNER pseudo-user. Assign Create files, Create folders, Traverse folder permission to the target users. Apply the last permission to "This folder only". Target users will be able to create files and folders in the temporary directory, but they have access to only their files and folders. Access to others files and folders will be denied. Assigning Full control to CREATOR OWNER guaranties that users have full control to their files.
Screenshot

After you have learned the accounts used in the HTTP Commander application, you are ready to configure NTFS permissions.
How to set permissions:

HTTP Commander AuthMode	Resources	Accounts	Permissions	Note
all	HTCOMNET folder	application pool identity	Read
Forms with Windows Users, Novell EDirectory	HTCOMNET folder	Anonymous user	Read	1
Windows, Forms with Windows Users	HTCOMNET folder	end-users	Read
all	Temporary folder	application pool identity	Modify
Windows, Forms with Windows Users	Temporary folder	end-users	Modify
all	Data folder	application pool identity	Modify	2
Forms with Windows Users, Novell EDirectory	web.config and HttpCommanderSettings.config files	application pool identity	Modify
Windows, Forms with Windows Users	web.config and HttpCommanderSettings.config files	administrators of HTTP Commander	Modify
Novell EDirectory	user data folders	application pool identity	Read or Modify depending on your needs
Windows, Forms with Windows Users	user data folders	end-user accounts	Read or Modify depending on your needs	3
all	Trash folder	application pool identity	Modify	4
Windows, Forms with Windows Users	Trash folder	end-user accounts	Modify	4

Note 1. Why grant access to anonymous user?

Applies to AuthMode Forms, Forms with Windows users, Novell EDirectory, Auth0.

Normally the web application accesses the file system under the application pool identity, but sometimes the anonymous user is impersonated. Note that ASP.NET Impersonation is disabled in IIS.

You may find out that the web application works without problems even when you have not assigned explicit permissions to an anonymous user account. The typical cause of this issue is that the anonymous user gains access to the file system via permissions assigned to Users group. Another explanation may be the fact that anonymous user matches the application pool identity to which you have assigned Read permissions already.

Why write access is not needed for anonymous user?

The application does not explicitly impersonate the anonymous user to perform its tasks. All work is done under the application pool identity. As for read access to the application's root directory, it is IIS that impersonates the anonymous user to verify access to specific objects.
Note 2. By default, the Data folder is located in the HTCOMNET root folder, but you can move it outside the web server (see DataFolderPath key in the Application settings)!
Note 3. If you have an existing folder structure for domain users with set permissions, you don't need to modify existing permissions. The application impersonates the end-user when processing a user request. NTFS file system permissions determines the level of access the end-user gets to the file system through HTTP Commander.
If you want to create a new structure of folders, you need to apply the necessary NTFS permissions on the folders for the domain users.
Note 4. This applies if you enabled EnableTrash parameter.
AnonymousDownload.ashx permissions
You need to configure anonymous access to AnonymousDownload.ashx file if anything of the following is true:
- You plan to work with online services such as MS Office/OpenOffice/LibreOffice support, Online Documents, Images editors and viewers.
- You plan to use public links.
- You enabled anonymous editing in Office (AnonymousEditingOffice setting is true) or enabled MS-OFBA for editing in Office (UseMSOFBAwithMSOffice setting is true).
The process of configuring AnonymousDownload.ashx for anonymous access is detailed in the section configure anonymous access to AnonymousDownload.ashx. Here we focus on the topic of NTFS permissions required for the service account. In general, you should grant Read and Write NTFS permissions to the service account to all user files you want to provide access to. If you plan to generate only download links (vs links that provide ability to upload files) and if you need only viewer online services like Google Viewer, Microsoft OWA, it is enough to assign Read permission to the user files.