System Internals - NTFS Permissions

This guide contains Ipswitch recommendations for NTFS permissions on Windows folders on a MOVEit DMZ system.

To make the configuration of permissions easier, you should create a new MOVEit System group to hold all the users under which the MOVEit DMZ application runs. This group should contain the following users. After creating this group and applying permissions as described below, you will usually need to reboot your machine before these permissions take effect, as some of these users only sign on during a reboot.

User/Group	Description
System	Built-in LocalSystem account (used by MOVEit's scheduled tasks)
IUSR_...	Built-in anonymous web access account (used by online application)
IWAM_...	Built-in anonymous web access account (used by online application)
ASPNET	Built-in ASP.NET account (used by online application)
NETWORK SERVICE	(Windows 2003 Only!) Built-in group for network services (used by online application)

The following table shows which permissions to assign to the MOVEit System group as well as the Administrators group. (Administrators need access to install/update the application.) It is recommended that you first install MOVEit DMZ at least once before applying these permissions. (MOVEit DMZ will set up the directory structure.) Read permissions are assigned by default; they actually include list and execute permissions.


Windows Folder	Administrators	MOVEit System
(isapiroot)	Full	Read/Execute/List
(mysqlroot)	Full	Full
(nonwebroot)	Full	Read/Execute/List
(nonwebroot)\certs	Full	Full
(nonwebroot)\com	(Inherit)
(nonwebroot)\files	Full	Full
(nonwebroot)\installscripts	Full	(None)
(nonwebroot)\logs	Full	Full
(nonwebroot)\messagefiles	(Inherit)
(nonwebroot)\scheduler	Full	Full
(nonwebroot)\util	Full	(None)
(program files)\moveit	Full	Read/Execute/List
(webroot)	Full	Read/Execute/List
(webroot)\bin	(Inherit)
(webroot)\COM	(Inherit)
(webroot)\doc	(Inherit)
(webroot)\images	(Inherit)
(webroot)\images\bullets	(Inherit)
(webroot)\images\customscheme	(Inherit)
(webroot)\images\instlogos	Full	Full
(webroot)\templates	Full	Full

If even tighter NTFS control is desired, the following changes are recommended:

If you are using MySQL as your database engine, run MySQL under a different usercode. (By default, this is SYSTEM.) Remove permissions to the (mysqlroot) folder from MOVEit System and give then instead to the specific MySQL user.
Adopt a policy where all appearance changes must be done by hand (rather than through the MOVEit DMZ interface). This change would allow you to propagate the security settings of (webroot)\images to all its subfolders.
Change the usercode under which MOVEit DMZ's scheduled tasks run. (By default, this is SYSTEM.) Update the MOVEit System group with this information.
Limit access to the (nonwebroot)\scheduler folder to only that user under which MOVEit DMZ's scheduled tasks run.