Changing permissions on IIS Admin (iisadmin) service

Any time I do a lot of research on something, I like to document it here. With little details, here’s the problem and solution as point blank as possible:

Vulnerability scan on our Windows 2003 Server reports that,

"On this site, there is a problem with IIS. The SMB service has insecure permissions for Everyone: IIS Admin Service (IISADMIN) : DC, WD, WO"


I found that “Everyone” user had access to the issadmin service:

“D:” – Discretionary ACL (DACL) controls.
“S:” – System Access Control List (SACL), controls
“A;;” – Allow
“WD” – Everyone

Checking another webserver we have, I found slightly different permissions, but definitely did not have the “WD” (Everyone) as part of the “D:” Discretionary permissions:

So I removed the “WD” entry:

I restarted the service, and checked the various running websites, and all seemed ok. With out another vulnerability scan I won’t know for sure if the scan no longer finds this, but still removing Everyone from the iisadmin service seemed like a good idea.

Rate This Article:

One Comment

  1. russds says:

    I found this site helpful: it lists all the various translations for those cryptic permissions letters. (WD, A:, CC, DC, etc.)

Leave a Comment

You must be logged in to post a comment.