When deploying a Classic ASP application on IIS 7.5 (Windows Server 2008 R2), you might encounter a perplexing file permission scenario. Consider this structure:
WebsiteRoot/
├── dbc/
│ └── filename.txt (requires read/write access)
└── Other ASP filesThe application throws this error when accessing the file:
Access to the path 'E:..\websiteroot\dbc\filename.txt' is deniedOddly enough:
- Fails with IUSR/IIS_IUSRS/AppPoolIdentity write permissions
- Succeeds only with EVERYONE full control
The system components interacting here:
ASP Page → COM+ Component (Network Service) → File System (IIS AppPool Identity)
↑
└── File I/O OperationsKey configuration points:
- Classic Pipeline Mode
- Anonymous Authentication enabled (AppPoolIdentity)
- COM+ component runs as Network Service
Using Process Monitor revealed the critical insight:
Process: DLLHOST.EXE (COM+ host)
User: NT AUTHORITY\NETWORKSERVICE
Access: READ (succeeded)
Access: WRITE (denied)Here's the precise fix using ICACLS:
:: For the website identity (if needed)
ICACLS "foldername" /grant:r "IIS AppPool\YourAppPoolName":(OI)(CI)RXW /T
:: For the COM+ component
ICACLS "foldername" /grant:r "NT AUTHORITY\NETWORKSERVICE":(OI)(CI)RXW /TKey parameters explained:
- /grant:r - Replace existing permissions
- (OI) - Object inherit
- (CI) - Container inherit
- /T - Apply recursively
For scenarios where you need to verify permissions in code:
<%
Function CheckFileAccess(filePath, accessMode)
On Error Resume Next
Dim fso, file
Set fso = Server.CreateObject("Scripting.FileSystemObject")
Select Case accessMode
Case "read"
Set file = fso.OpenTextFile(filePath, 1) ' ForReading
Case "write"
Set file = fso.OpenTextFile(filePath, 8) ' ForAppending
End Select
If Err.Number <> 0 Then
CheckFileAccess = False
Else
CheckFileAccess = True
file.Close
End If
On Error GoTo 0
End Function
%>- Always grant minimum required permissions (RXW vs Full Control)
- Audit COM+ components for their identity requirements
- Consider using specific service accounts instead of Network Service
- Implement proper ACL inheritance through folder structure
- Verify which identity actually touches the file (Process Monitor)
- Check effective permissions (Right-click → Properties → Security → Advanced)
- Confirm no Deny ACEs exist in the ACL
- Validate inheritance flags
- Check share permissions if accessing network paths
When dealing with file system operations in Classic ASP applications running on IIS 7.5/Windows Server 2008 R2, permission issues often manifest in subtle ways. Let's examine a real-world scenario where write operations fail despite apparently correct permissions.
The key observation was that write operations only succeeded when granting EVERYONE permissions, while more specific accounts (IUSR, IIS_IUSRS, or Application Pool Identity) failed with:
"Access to the path 'E:..\websiteroot\dbc\filename.txt' is denied"
The environment consisted of:
- Classic ASP application running in Classic Pipeline mode
- Anonymous Authentication enabled (using Application Pool Identity)
- COM+ component handling file I/O operations
- COM+ running under Network Service identity
The critical realization was that the file access was actually being performed by the COM+ component's identity (Network Service), not the IIS application pool identity. This explains why modifying IIS-related permissions had no effect.
Process Monitor revealed: 1. Application Pool Identity (IIS AppPool\CipherDemo): Had sufficient permissions 2. Network Service: Only had Read permissions
The solution involved granting explicit permissions to the actual accessing account:
icacls "foldername" /grant:r "NT AUTHORITY\NETWORKSERVICE":(OI)(CI)RXW /T
For those needing to implement this programmatically in ASP:
<%
' Example checking permissions before file operation
Set fso = Server.CreateObject("Scripting.FileSystemObject")
filePath = Server.MapPath("/dbc/testfile.txt")
' Attempt to create test file
On Error Resume Next
Set testFile = fso.CreateTextFile(filePath, True)
If Err.Number <> 0 Then
Response.Write "Error " & Err.Number & ": " & Err.Description
Response.Write "<br>Verify NT AUTHORITY\NETWORKSERVICE has write permissions"
End If
On Error GoTo 0
%>
When working with external components:
- Always identify the actual security context of the component
- Use Process Monitor (ProcMon) to trace permission checks
- Test permissions programmatically before critical operations
- Consider creating a dedicated service account for COM+ components
For better security, you might modify the COM+ component to impersonate the caller:
' In COM+ component (VB example)
Sub WriteToFile(path, content)
Dim impersonationToken As Long
If CoImpersonateClient() = 0 Then
' File operations here will use caller's identity
Open path For Output As #1
Print #1, content
Close #1
CoRevertToSelf()
Else
Err.Raise 5, "WriteToFile", "Access denied"
End If
End Sub