Unfortunately at work I’m stuck hosting PHP on various versions of Windows with IIS. For the most part things do just run (though I yearn for a nice Nginx + PHP-FPM setup that has decent URL rewriting), but figuring out what security settings to change so that PHP can write to a particular file or directory has always been a problem.

Side Warning: Be aware that if you ramp down the security on your application’s directories too much IIS has a tendency to start throwing 500 errors with no real warning or logic.

On each one of your directories that PHP needs to be able to write to (in my case it was cache, logs, and upload, in case you were wondering), right click and go to Properties, then the Security tab. Click Advanced at the bottom, then Change Permissions at the bottom again. Now you want to Add new permissions.

If your Windows server is a member of the domain, it will probably default to searching the domain tree in the From this location box. Change this back to the local machine 1, hit Advanced, and then Find Now on the right.

In the potentially long list of local users and groups, find the group IUSR, select it, and hit OK and then OK again.

Now the tricky part, which permissions do I actually need to grant? Well, that’s totally going to depend on what you’re writing. For my purposes, I needed to be able to Create files / write data, Create folders / append data, Delete subfolders and files, and Delete. You might need to enable attribute changes or not need to include Delete permissions… That’s up to you.

When you’re done, be sure to check the Replace all child object permissions with inheritable permissions from this object check box to apply the new permissions to all the child files and folders and then go through all your OKs until you’re done.

Rinse and repeat as necessary, but now your PHP application should be able to write to the proper locations and all will be well with the world… Or as well as it can get when you’re running PHP on Windows with IIS.

  1. Unless your domain has a special group for IIS setup, in which case you should already know how to do this and need to stop reading. 
Originally published .