W2K3 IIS- IUSR account privileges for the "moodle" folder

W2K3 IIS- IUSR account privileges for the "moodle" folder

by Bob Majors -
Number of replies: 0
I'm running a W2K3 server with IIS. Data is on E:\. When I initially set up the Moodle structure on E:\, the serverName\Users group had (the default) read and execute plus some write permissions. Installing and configuring the first Moodle instance worked.

Then I decided to remove the serverName\Users from E:\ entirely. During configuration of a second Moodle instance, I was warned that the config.php file could not be created. I used the data presented by the config process (shown on the web page during config) to create the config.php file manually, and that seemed to work. BTW, I believe this was after I gave the IUSR_serverName account the common read privileges (Traverse Folder / Execute File, List Folder / Read Data, Read Attributes, Read Extended Attributes, Read Permissions) to the moodle folder.

Next, I gave IUSR_serverName Modify (and it's default related privileges) permissions to the moodle folder, and ran a third Moodle config, and all worked fine. Then I re-set the IUSR_serverName permissions back to the common read privileges (Traverse Folder / Execute File, List Folder / Read Data, Read Attributes, Read Extended Attributes, Read Permissions) on moodle, and have not had any problems so far. I understand the IUSR account needs read access to the moodle folder.

QUESTION: Are these latter read privileges for the IUSR account sufficient (and therefore recommended, security-wise) over the moodle folder?

My Moodle structure is currently:

C:\php (including the dll's in \ext)

E:\Program Files\MySQL\ [full access for: Administrators, CREATOR OWNER, and SYSTEM]

E:\website\moodle_uploads\course_a (and course_b, etc.) [full access for: Administrators, CREATOR OWNER, and SYSTEM] (I haven't done anything with this folder; was a recommendation I heard, and I may need to modify permissions on it.)

E:\website\moodledata_root\moodledata_course_a (and course_b, etc.) [Full access for: Administrators, CREATOR OWNER, and SYSTEM. Modify (and all the sub privileges that go with it): IUSR_serverName]

Note: E:\website\production is the IIS root web directory for Moodle on my system.

E:\website\production\ -and-
E:\website\production\course_a (and course_b, etc.) -and-
E:\website\production\course_a\moodle\ (etc.)
[Full access for: Administrators, CREATOR OWNER, and SYSTEM. The common read privileges (Traverse Folder / Execute File, List Folder / Read Data, Read Attributes, Read Extended Attributes, Read Permissions): IUSR_serverName]

Thanks, Bob
Average of ratings: -