How to ensure that IIS_IUSR group has special permission to c:\windows\temp folder?

Question

How to check whether IIS_IUSR group has special privillege to some folder? [say c:\\windows\\temp ]

I am trying to check whether it has allow permission. If it is having allow permission , i assume it has special permission. Is this assumption correct?

internal static Boolean HasAccess(string strPath, string account)
{
    var security = Directory.GetAccessControl(strPath);
    var rules = security.GetAccessRules(true, true, typeof(NTAccount));

    foreach (FileSystemAccessRule rule in rules)
    {
        if (rule.IdentityReference.Value == account)
        {
            if (rule.AccessControlType == AccessControlType.Allow)
            {
                return true;
            }
        }
    }

    return false;
}

static void Main(string[] args)
{
    if ( HasAccess(@"C:\Windows\Temp", "BUILTIN\\IIS_IUSRS") ) {
        Console.WriteLine(" It has permission");
    }             
}

Answer 1

Your code doesn't do what you think it does. It grabs a collection of all AccessRules and its privileges ( FileSystemRights ) and only checks the very first one, no matter what the rule is for. You better find the rule you want to check for first, then check it.

Answer 2

As Danexxtone mentioned you currently check all access rules on the folder. The problem with this approach is that there may be one access rule that allowes reading but another access rule that denies it. And an access rule that denies something is always dominating a rule that allowes the same thing. So it's not sufficient just to look if there is a rule in the set that allowes you accessing the folder.

What you have to do is to check the effective permissions on the folder. Have a look here, this might help you and it's already C# code: Effective file permissions tool's api in windows