How Do I Allow My Web Application to Write to Files, Folders and Databases?

Many Web sites these days use databases or text files to save information. To be able to save this data, IIS, the Web server, needs the required permissions to write to the disk or database. This FAQ will explain how you should configure your NTFS disk or database so your Web application can write to it.

Before you can change the security settings, it's important to find out the account that IIS is using. It's this account that needs the permissions to write to disk or to the database. Check out the FAQ: How Do I Determine the Account that IIS Uses? to find out what that account is. In the rest of this FAQ, I'll assume the user account is IUSR_MachineName (where MachineName is the name of your computer), but it might just as well be another account in your situation
I split up this FAQ in two sections: File Based Security Settings and SQL Server Security settings. The first section describes the steps you need to perform to adjust the security settings for file based operations, like writing to text files and to a Microsoft Access database. The second part shows you how to add a user to SQL Server and grant it the required privileges.

File Based Security Settings

If you need to grant access to specific files on your disk, it's often easier to grant those rights of the parent folder than to individual files. This way, you can manage a bunch of files together, without changing the security settings for each file separately. If you are changing the settings for a Microsoft Access database (an .mdb file), you have to grant the rights to the folder because at run-time, temporary lock-files are written to the folder where the database is out.
You can change the settings on the Security tab of the Properties dialog for the folder or file you want to change. If you don't see the Security tab, check out the FAQ: Why Don't I See a Security Tab on the Properties dialog for My Files and Folders in Windows XP?

To change the security settings, perform the following 5 steps:

  1. Locate the folder where your database resides in. It's often a good idea to store the database in a special folder outside the Web scope like C:\Databases. This way, you can make sure that at run-time the database can be accessed, while the users of your Web site cannot download the database by typing in an address like http://www.YourSite.Com/Databases/YourDatabase.mdb. This way your database is safe from prying eyes. The rest of this FAQ assumes you have stored your database in C:\Databases. If you decide to store the database within the scope of your Web site, you'll have to take extra precautions to prevent the database from being downloaded.
  2. Right click the folder Databases, choose Properties and switch to the Security tab. You'll see a screen similar to this:

    The Security tab of the Properties dialog of the Databases folder
    Figure 1 - The Properties Dialog for the Databases Folder

    On this screen, you'll see various accounts and groups listed that have access to this folder. For example, you'll see that, among other accounts, both the group Administrators and the account Imar are listed. It's good practice to limit access to your Databases folder as much as possible by removing permissions you don't really need. Evaluate each name in the group or user names list, and determine whether they need access or not. Usually, I remove all user names, except for my own name, the Administrators group, the Creator Owner account and the System account. Before you start removing all permissions, it's a good idea to read a bit in the Windows Help system about the implications of changing the security settings.
  3. Once you're done removing the user accounts you don't need, click the Add... button, and then type of the name of the user account you discovered earlier in this FAQ. For the sake of this article, I'll assume the account is IUSR_MachineName but if you're using ASP.NET or set up IIS to use a different account, your account name may be different. Type IUSR_MachineName in the text box at the bottom of the Select Users or Groups dialog. Don't forget to replace MachineName with the name of your computer:

    The Select Users or Groups dialog allows you to add individual user accounts or groups
    Figure 2 - The Select Users or Groups Dialog

  4. Once you click the OK button, the IUSR account will be listed in the Group or user names box as Internet Guest Account (MachineName\IUSR_MachineName). Click the account, and then make sure that the account has at least Read and Write permissions:

    The IUSR account needs at least Read and Write permissions
    Figure 3 - The IUSR account needs at least Read and Write permissions

    Depending on the requirements for your application, you may need to give other permissions as well.
  5. Once you're done setting the individual security permissions for the Internet Guest Account, click the OK button to apply the changes to the folder and close the dialog.

From this point, you Web application is allowed to write to files located in the folder C:\Databases, including any Microsoft Access database you may have in that folder.

SQL Server Security settings

Because SQL Server is not directly file based, but server based, you'll need to change the security settings in SQL Server, rather than at the NTFS / disk level. To grant your user account access to your database, follow these steps:

  1. Open the SQL Server Enterprise Manager from the Windows Start Menu .
  2. Expand your server in the tree on the left until you see Security.
  3. Open the Security node, right-click it and choose New Login...
  4. In the Name field, type the name of the user account you discovered earlier in this FAQ in the format MachineName\AccountName or DomainName\AccountName.
  5. At the bottom of the dialog, choose the database you wish to grant this user access to from the Database list.
  6. Next, click the Database Access tab, and locate your database again. Check the Permit column for your database in the upper list, and then fine-tune the access rights by selecting the appropriate roles below. Usually, the roles public, db_datareader and db_datawriter will be enough, but for your application the requirements may be different. Finally, click OK to add the user account to SQL Server.
  7. If you want, you can further fine-tune the access rights for this user account. To do that, open the node Databases in the Enterprise Manager, expand your database and then choose Users. The account you created in the previous steps will be listed here. Right-click it, choose Properties and click the Permissions button. On the screen that follows, you have very detailed control over the security settings for all the objects in your database, like Tables, Views and Stored Procedures.

From this point on, your Web application should be able to successfully connect to your SQL Server database.


Where to Next?

Wonder where to go next? You can read existing comments below or you can post a comment yourself on this article .


Consider making a donation
Please consider making a donation using PayPal. Your donation helps me to pay the bills so I can keep running Imar.Spaanjaars.Com, providing fresh content as often as possible.



Feedback by Other Visitors of Imar.Spaanjaars.Com

On Saturday, May 14, 2005 12:52:18 PM Chirag Shah said:
Imar, awesome! clear, concise explanation..

Unfortunately, it provides little explanation when web server and and sql server are not on the same machine.  You did mentioned DomainName\AccountName but I am little confused. IUSER_Computername is a local accont for computer on which IIS is installed.  Should I just add IUSER_Computername in SQL Server? OR  should I create a domain account to run IIS anonymous account   and then simply add that account to SQL server. Is there any security issues doing that? Please advice.


On Saturday, May 14, 2005 1:53:16 PM Imar Spaanjaars said:
Hi Chirag,

You may want to check out this Faq: http://Imar.Spaanjaars.Com/QuickDocId.aspx?QUICKDOC=276

It explains the steps you need to perform to make this work over the network.

Cheers,

Imar
On Sunday, July 17, 2005 5:17:48 AM hasti said:
it was very usefull and complete with details
On Wednesday, April 05, 2006 1:34:19 PM Michael Kuitunen said:
Imar -

I fall into the "SQL Server Security settings" category. Do you know if there is a way to automate your process via command line commands? I have a situation where I can add users to my application, and it would be nice to automatically set their database access rights without having to pop up any UI other than my app's UI.

Thanks.

-Mike-
On Thursday, April 06, 2006 5:38:53 AM Imar Spaanjaars said:
Hi Michael,

Yes, you can. Look in the SQL Server Books Online under sp_grantlogin for example, that you can use to give an NT account login rights. Then at the bottom of the help page, click System Stored Procedures and then browse to the Security section. You'll find lots of other security related system procedures that you can use to fine tune access control.

HtH,

Imar
On Tuesday, April 11, 2006 12:54:41 PM Mike said:
Great article!  I am still having permissions problems though.  My web.config is set up with  [authentication mode="Windows" /] and [identity impersonate="true"/] and IIS is set up for this specific web site with integrated windows authentication (the default web site is not set up this way).  In the app, when I use (HttpContext.Current.User.Identity.Name) I get the domain\username that I expect on all PCs.  However, on my PC, file access/copying works.  On anyone elses PC, there are file access errors.

HELP!!
On Tuesday, April 11, 2006 9:44:20 PM Imar Spaanjaars said:
Hi Mike,

Can you elaborate a bit about your setup? Is your PC the web server? If not, where are you trying to write / copy the files from and to?

Imar
On Wednesday, April 12, 2006 11:35:38 AM Mike said:
Thanks for the quick reply.  My PC is not the web server when I'm testing the app-only when I'm actually writing the code.  I'm trying to copy files from either folders on a server or from the local PC to the same.
On Wednesday, April 12, 2006 12:35:11 PM Imar Spaanjaars said:
Right, I see.

How did you configure the folders you try to read from and write to? Did you give other accounts than your own sufficient permissions to read and write?

Imar
On Wednesday, April 12, 2006 12:46:52 PM Mike said:
All of the folders have sufficient permissions to be able to do this.  As I said, the app works from my PC when I'm logged in.  It does not work from other PCs when I'm logged in or someone else is logged in.  This is why I'm thinking that for some reason IIS is not passing the user to the file system even though it IS passing it to the database.  Is that even possible?
On Wednesday, April 12, 2006 9:15:30 PM Imar Spaanjaars said:
Hi Mike,

Normally not. If you set up the proper security mechanism, using impersonation, the account for both should be the same. You could run your data access layer under a different account, although I doubt that's the case here.

It's hard for me to tell what's going on, without knowing more about your setup, code and stuff like that. There are just too many parameters that could influence your situation.

Are you using standard System.IO stuff to copy files within the same server? What's weird is that your account doesn't work on other machines either. They only guess I can make is that "Logon in the Intranet zone" is on on your machine and off on others, although again this isn't very likely....

Sorry I can't help much more.

Imar
On Tuesday, May 09, 2006 7:27:04 AM Catherine said:
This is a really great article (id 290) that helped me a lot.  One thing that you didn't mention is that when you are adding/changing permissions you also have to uncheck the "Inherit from Parent the Permission Entries that Apply to Child Objects" checkbox.  I was still getting an UnauthorizedAccessException until I did that.

Your article was very well written and extremely helpful.

Thank you...
On Tuesday, May 09, 2006 7:32:10 AM Imar Spaanjaars said:
Hi Catherine,

You don't necessarily have to always uncheck that, as it depends on the settings. Normally, when you add an account, you expand the list with privileges from the parent. So even if the account you're adding doesn't have access to the parent folder, you can still grant it access to the folder you're modifying.

However, when the account you're trying to modify already has some different permissions set on the parent folder, you may indeed need to uncheck this option, copy the settings to the folder you're working with, and then modify the permission settings.

Hope this helps,

Imar
On Tuesday, July 25, 2006 12:29:51 PM Carl Philippon said:
I have an Access DB with ADO asp pages (created with Frontpage) for submitting/viewing/editing content in the DB. Every so often, my DB gets locked as Read Only, and I get the error "Password not valid" (I have used the Database Interface Wizard within Frontpage to create the asp pages, and have chosen to lock editing with a username/password) when trying to submit/edit with the asp pages. I look at the properties for the mdb, and it does not indicate read only, but when I copy the mdb to a different filename and modify the global.asp to point to it, everything works fine... for awhile. The anonymous web account has read/write access to the directories storing the pages and the DB. Any ideas?
On Tuesday, July 25, 2006 8:41:33 PM Imar Spaanjaars said:
Hi Carl,

Problems that are hard to reproduce are always the hardest to fix. I suggest you post this problem on a forum like http://p2p.wrox.com and provide as much as information as possible. Maybe someone has seen similar behavior and knows a fix.

Cheers,

Imar
On Tuesday, August 01, 2006 4:01:07 PM Rene Lares said:
Hi, this article is very useful, but unfortunately I can't give the write permisson to the IUSR_SERVERMachine account. The server is running Windows Server 2003 with IIS 6.0, the web application it´s made in Visual  Studio 2005 and I need to read/write some files in the ~/images directory.
I assume that becasue the folder it's part of the web application, the IIS manage all those folders and I cannot change the permisson, or can I? Is thera a way to write in this folder?

Thanks.
On Tuesday, August 01, 2006 4:56:43 PM Imar Spaanjaars said:
Hi Rene,

What makes you think you can't change the permissions? You should be able to follow the steps, open up the Security tab of the correct folder and add or change the account. Are you seeing something different?

However, you may not need the IUSR account, but another special .NET account, called Network Service. To find that out for sure, look at this FAQ:

http://www.spaanjaars.com/QuickDocID.aspx?QUICKDOC=287

Cheers,

Imar
On Tuesday, August 01, 2006 6:45:06 PM Rene Lares said:
Thank you very much for the quick answer.

I say that I can´t change the permissions because the checkbox for the write  permission in the deny column is checked and it's like locked, it's checked and I' can't unchecked. I'm already using other folder in C:\ to verify if my code was wrong, this folder it's has the permission for the user IUSR_ServerName, but everything works fine. But I can´t give the write permission in the images folder inside the web site. I have to use that folder because my ISP will not give me any other location to write other than the space in my site.
The site is already configured to use the ISUR_ServerName account.

Thank you for the help.
On Tuesday, August 01, 2006 8:42:51 PM Imar Spaanjaars said:
Hi Rene,

If the checkboxes are locked, it means the folder is inheriting its permissions from its parent. To resolve this, click the Advanced button, thun unckeck the "Inherit from parent" option on the Advanced Security Settings dialog for the folder.

You should realize that changes made to the parent folder are no longer propagated to your folder. For now, this is exactly what you want, but you may run into odd situations when you later try to change this again.

Hope this helps,

Imar
On Monday, August 21, 2006 7:27:41 AM SuhelAhmed said:
Hello Mike,

   A great article.  But I believe I am looking for something more. I want to provide my users with a facility through which they will be able to access the files through their local machines. By using add new netwrok places, something related to webfolders using their userid and passwords, which they use to login to the website. For this I believe we need to have some setting between the IIS and the SQL databse. Due to which the website user will be able to access the common folder. I am not able to understand, what settings are needed from the IIS to synchronize it with the SQL database. Please can you advise me on the above mentioned topic. Thanks in advance.
The project is in C# and the backend is MS-SQL Server.

Regards,
SuhelAhmed.
On Monday, August 21, 2006 7:38:23 AM Imar Spaanjaars said:
Hi SuhelAhmed,

I don't think I understand what you mean. Can you please post this at http://p2p.wrox.com so others can take a look?

If you do, please provide more detail and describe what it is that you want, what SQL has to do with it and so on.

Cheers,

Imar
On Monday, August 21, 2006 9:15:46 AM SuhelAhmed. said:
Hello Mike,
    Thnk you for the promp reply.
   What I need is to cerate a website which will behosted on the server. This web site will be havnng numerous users. Each user will be havng their UserID and Password.  The website will also have a common folder in which the users ca create folders or files as per their requirements.
But for this I beieve that these uses should have the permission to Create folders or files on the webserver. And these permmissions have to be configured in the IIS of the webserver.
  Since the users will be created Dynamically on the website. The IIS should Understand that the userd adn passwords are from the databse of the file and not from the authentication metabase or file from the IIS on the webserver.
   So, my query was how do i make the IIS understand that it has to verify the userid andpassword from the user database of our website.
If you still are not able to get the clear picture please can you forward meyour mail-id so that i can properly draft a mail along with some explaintory attachments and links.

  Thank you in advance.
Regards,
SuhelAhmed.
On Monday, August 21, 2006 9:21:59 AM Imar Spaanjaars said:
Hi SuhelAhmed,

It all depends. If you use "forms authentication" where users log in by entering a user name and a password in a web page, the account that the webserver uses is still the same, so you can configure one account with write access to store uploaded files and so on.

If users are stored in a database, then most likely you are using "forms authentication", and you don't need to worry about this too much. Create login functionality as you normally would by taking the username and password from a web page and send it to the database. How you do this depends on the technology you use (e.g. ASP, ASP.NET and so on).

Like I said in my previous reply: post this at http://p2p.wrox.com. You'll find all the tools to add "explaintory attachments and links" there, and there are many others that can help you as well.

Cheers,

Imar


On Tuesday, February 27, 2007 5:36:56 AM vrushali said:
Hello,

I tried to give write access to IUSR_[machinename] to my Webservice folder, but still it doesnt allow me to write into that folder.

I am not the administrator of that machine,will it make any difference?

If you could give me some informarion to resolve my problem, that would be great.

thanks in advance.

Vrushali
On Tuesday, February 27, 2007 7:13:48 AM Imar Spaanjaars said:
Hi vrushali,

Did you read this FAQ:

http://imar.spaanjaars.com/QuickDocID.aspx?QUICKDOC=287

Maybe you need a different account, like ASPNET or Network Service instead?

Imar
On Sunday, March 25, 2007 6:42:21 PM Sandy said:
Hello,

I have downloaded your VB version and it worked fine.  I did not put it under IIS.  However, the app I am working on is in IIS.  In debug I found that I have gotten the file into SQL Server (using Developer Edition), I have succesfully retrieved the file from my database (has same number of bytes as in your app), but on my download page after doing (d is my class):

Response.Clear()
                    Response.ContentType = "application/x-unknown"
                    Response.AppendHeader("Content-Disposition", "attachment; filename=""" + d.OriginalFileName + """")
                    Response.BinaryWrite(d.DocumentData)

Instead of getting the download prompt as you described, I get an error:

Internet Explorer cannot OpenDocument.aspx from localhost

I think there is a problem appending the response header.  Is this a security issue?
On Sunday, March 25, 2007 7:25:56 PM Imar Spaanjaars said:
Hi Sandy,

I am not sure I understand this. What VB version are you talking about? This article is about configuring security settings in Windows.....

Imar
On Sunday, March 25, 2007 7:47:27 PM Sandy said:
Sorry - I should have posted this on your page that explains how to upload files both to the file system and to the database.  The VB is VS 2005 in an ASP.NET application.
On Monday, March 26, 2007 7:42:17 PM Imar Spaanjaars said:
Hi Sandy,

Right, I see. What happens when you debug the app and look at the d object? Does it have vallid OriginalFileName and DocumentData properties? Maybe the first is null in the database?

Imar
On Monday, March 26, 2007 8:00:11 PM Sandy said:
Thank you for responding.  The d object has all valid properties.  The OriginalFileName is there and the DocumentData has the same number of bytes as it does when I run your program.  (I ran the same file through your pprogram, which worked, and my program, which does not.)  So it looks like it got stored correctly in the database.l  I am assuming this based on my findings just before I attempted to send the file to the response.
On Tuesday, March 27, 2007 5:09:22 AM Imar Spaanjaars said:
Hi Sandy,

In that case, I don't know how to help. If it looks like the code I wrote, and all properties seem valid, I don't know what the problem is. Sorry.

Cheers,

Imar
On Tuesday, March 27, 2007 4:47:56 PM Sandy said:
Thank you for trying!
On Sunday, April 20, 2008 7:20:23 PM kunal said:
itz gud for asp but what about asp.net i.e aspx
On Sunday, April 20, 2008 9:15:25 PM Imar Spaanjaars said:
Hi kunal,

It's the same story for ASP.NET except for the actual account. Refer to the FAQ I linked to earlier to find the account and read the comments om this article.

Cheers,

Imar
On Wednesday, April 08, 2009 12:06:38 PM William Howell said:
Thanks for the info. I am not sure if it solves my problem but I enjoyed the nice clear and quick to read explanation. I will follow the advice not to store the db under the web site. I may not be able to write to the folder but at least it will be in a good place.

Talk Back! Comment on Imar.Spaanjaars.Com

I am interested in what you have to say about this article. Feel free to post any comments, remarks or questions you may have about this article. The Talk Back feature is not meant for technical questions that are not directly related to this article. So, a post like "Hey, can you tell me how I can upload files to a MySQL database in PHP?" is likely to be removed. Also spam and unrealistic job offers will be deleted immediately.

When you post a comment, you have to provide your name and the comment. Your e-mail address is optional and you only need to provide it if you want me to contact you. It will not be displayed along with your comment. I got sick and tired of the comment spam I was receiving, so I have protected this page with a simple calculation exercise. This means that if you want to leave a comment, you'll need to complete the calculation before you hit the Post Comment button.

If you want to object to a comment made by another visitor, be sure to contact me and I'll look into it ASAP. Don't forget to mention the page link, or the QuickDocId of the document.

For more information about the Talk Back feature, check out this news item.