Share via


How to Help Secure the IIS Web Log Folder

You should secure access to your Internet Information Services (IIS) log file directory.

IIS log files contain sensitive information such as the following:

  • File names

  • Directory paths

  • Cookies

We recommend that you set NTFS file system security permissions on the %windir% \system32\LogFiles folder. Setting security permissions on this folder protects log files for all sites on your Web server.

By default, IIS log files are stored in the %windir%\system32\LogFiles\W3SVC# folder on the computer that is running IIS, where %windir% is the drive partition where Windows is installed, and # is the number of the site. For example, the default location of the log file folder for the default Web site where Windows is installed on drive C would be as follows: C:\WINNT\system32\LogFiles\W3SVC1.

To help secure the IIS Web Log folder

  1. In Windows Explorer, locate the <drive>:\\WINNT\system32\LogFiles\ folder on your server that is running IIS.

  2. Right-click the LogFiles folder, and then click Properties.

  3. In the LogFiles Properties dialog box, on the Security tab, clear the Allow inheritable permissions from parent to propagate to this object check box.

  4. In the Security dialog box, click Copy, in the Name box, click CREATOR OWNER, and then click Remove.

  5. In the Name box, click Power Users, and then click Remove.

  6. In the Name box, click Users (<Server name>\Users), and then click Remove.

    The remaining users in the Name box should be Administrators (<server name>\Administrators) and SYSTEM. Both of these are granted Full Control permissions to this folder. This is the recommended security setting for this folder.

  7. In the LogFiles Properties dialog box, click OK.

See Also

Other Resources

Working with Internet Information Services (IIS)