System Internals - NTFS Permissions
- Last Updated: April 6, 2022
- 1 minute read
- MOVEit Transfer
- Version 2023
- Documentation
This section contains best practice recommendations for NTFS permissions on Windows folders on a MOVEit Transfer system.
To make the configuration of permissions easier, create a new MOVEit System group to hold all the users under which the MOVEit Transfer application runs. Add the following users to the group. After creating this group and applying permissions as described below, reboot your machine so that these permissions take effect, because some of these users only sign on during a reboot.
|
User/Group |
Description |
|---|---|
|
System |
Built-in LocalSystem account (used by MOVEit scheduled tasks) |
|
IUSR_... |
Built-in anonymous web access account (used by online application) |
|
IWAM_... |
Built-in anonymous web access account (used by online application) |
|
ASPNET |
Built-in ASP.NET account (used by online application) |
The following table shows the permissions to assign to the MOVEit System group and the Administrators group. (Administrators need access to install/update the application.)
Recommended: First install MOVEit Transfer a minimum of one time before applying these permissions. (MOVEit Transfer will set up the directory structure.) Read permissions are assigned by default, and include list and execute permissions.
|
Windows Folder |
Administrators |
MOVEit System |
|---|---|---|
|
(isapiroot) |
Full |
Read/Execute/List |
|
(mysqlroot) |
Full |
Full |
|
(nonwebroot) |
Full |
Read/Execute/List |
|
(nonwebroot)\certs |
Full |
Full |
|
(nonwebroot)\com |
(Inherit) |
|
|
(nonwebroot)\files |
Full |
Full |
|
(nonwebroot)\installscripts |
Full |
(None) |
|
(nonwebroot)\logs |
Full |
Full |
|
(nonwebroot)\messagefiles |
(Inherit) |
|
|
(nonwebroot)\scheduler |
Full |
Full |
|
(nonwebroot)\util |
Full |
(None) |
|
(program files)\moveit |
Full |
Read/Execute/List |
|
(webroot) |
Full |
Read/Execute/List |
|
(webroot)\bin |
(Inherit) |
|
|
(webroot)\COM |
(Inherit) |
|
|
(webroot)\doc |
(Inherit) |
|
|
(webroot)\images |
(Inherit) |
|
|
(webroot)\images\bullets |
(Inherit) |
|
|
(webroot)\images\customscheme |
(Inherit) |
|
|
(webroot)\images\instlogos |
Full |
Full |
|
(webroot)\templates |
Full |
Full |
If more stringent NTFS control is desired, the following changes are recommended:
- If you are using MySQL as your database engine, run MySQL under a different usercode. (By default, this is SYSTEM.) Remove permissions to the (mysqlroot) folder from MOVEit System and grant the permissions instead to the specific MySQL user.
- Adopt a policy where all appearance changes must be done manually, rather than through the MOVEit Transfer interface. This change allows you to propagate the security settings of (webroot)\images to all its subfolders.
- Change the usercode under which the MOVEit Transfer scheduled tasks run. (By default, this is SYSTEM.) Update the MOVEit System group with this information.
- Limit access to the (nonwebroot)\scheduler folder to only that user under which the MOVEit Transfer scheduled tasks run.