When we read about "TLS version enforcement capabilities now available per certificate binding on Windows Server 2019", it sounded perfect.  However we cannot get it to work?  We are using IIS10 on Windows 2019 and are on OS Build 17763.914 and when we go to the site binding the screenshot below is all we get.  According to https://docs.microsoft.com/en-us/security/disable-legacy-tls we should also have a disable Legacy TLS checkbox. 

The version of windows server/iis we have is latest as per windows update and is after the version mentioned in the article.  We have also tried to do via "netsh http add sslcert ...", but when we add the argument disablelegacytls=enable it fails, even though it is listed in the help as an argument.

Does something need turning on or setting?  Tried a couple of things, but no luck.

Any hints or assistance much appreciated.

Thanks

Paul

I have installed the URL rewrite module on my SharePoint 2013 WFE. My redirects work just fine as long as the original site exists but as soon as I delete the sub site from SharePoint I get a 404 error. It is like the rules are not even processed. Is there a configuration setting that I am missing? This is the code in my web.config

<rewrite>
        <rules>
            <rule name="Pattern 1" patternSyntax="Wildcard" stopProcessing="true">
                <match url="subsite1/*" />
                <action type="Redirect" url="http://intranet.acme.com/_layouts/15/URLRewrite/Redirect.aspx?src={URL}&amp;qs={QUERY_STRING}" />
            </rule>  
        </rules>
    </rewrite>

As soon as I delete subsite1 the Rewrite module no longer redirects. This seems to also be consistent will a regular IIS web application where I link to a page that does not exists.

Friends need your help, me installed a IIS 10 server a couple of days ago on Windows 2019 base, I am using this product for the first time. Moved the site to PHP in a new environment, as it turned out it’s easy to work with if you figure it out) the site is working fine, I'm satisfied.

The time has come to install an SSL certificate, I managed to make a .pfx file and i install the certificate. But as soon as I switch to https an authorization form appears and asks for a username and password. I can’t understand where it came from and how to remove it. Please help the newcomer)
Thank you!

Dear community,

I've been trying setting up custom permission on different directories for different users using Server 2019 and IIS10.

I created a website for WebDAV, added virtual directories and then enabled WebDAV. Authoring rules were set at top level (Website). This is working fine for myself because I do have full permission to all virtual directories. However, I would like to grant individuals permission to specific directories and these should not have R/W permission to any other directory.

It looks like I can grant a user permission to a virtual directory but that user is then not able/allowed to authenticate.

In the below example, permission in RED is desired but won't work:

• - WebDavRoot (Authoring: User 1 R/W/S)
• -- VirtualDirectory1 (Authoring: User 1 inherited)
• -- VirtualDirectory2 (Authoring: User 1 inherited | User 2 R/W/S)
• -- VirtualDirectory3 (Authoring: User 1 inherited | User 3 R/W/S)

I need to exclude a specific subdomain (sub.domain.com) from the REDIRECT TO HTTPS rule in the web.config below. How do I do that?

<rules>
<rule name="www" stopProcessing="true">
<match url=".*" />
<conditions>
<add input="{HTTP_HOST}" pattern="^www." negate="true" />
</conditions>
<action type="Redirect" url="https://www.{HTTP_HOST}{REQUEST_URI}" redirectType="Permanent" appendQueryString="false" />
</rule>
<rule name="Redirect to https" stopProcessing="true">
<match url=".*" />
<conditions>
<add input="{HTTPS}" pattern="off" ignoreCase="true" />
</conditions>
<action type="Redirect" url="https://{HTTP_HOST}{REQUEST_URI}" redirectType="Permanent" appendQueryString="false" />
</rule>
</rules>

Friends, I need your help again, today launched a laptop that is running Windows Server 2019 with IIS 10 on which I am developing a site, there is a site written in php which later I plan to rebuild for asp.net core, I made a certificate import mydomain_com.pfx and made https binding to the desired domain by selecting a certificate for this domain. When I access the domain through http, everything works fine, when through https protocol, I get "HTTP Error 503. The service is unavailable." however, whatever the contents of the php site files or static html file, the result is the same err 503.

My experience with Windows Server for less than a week, found a log file with the following contents C:\Windows\System32\LogFiles\HTTPERR
2020-01-06 08:37:35 127.0.0.1 2031 127.0.0.1 443 HTTP/2 GET / 17 503 - N/A -
2020-01-06 08:50:21 127.0.0.1 2356 127.0.0.1 443 HTTP/1.1 GET / - 503 - N/A -

I noticed an interesting feature, everything works fine on the main server and the protocol is active, everything just happens on my laptop. Perhaps it matters, the server and laptop are on the same network, both behind a NAT router, port 443 and 80 were forwarded to the server.

Thank you!

hello every one 

Hi Everyone,

I've got an Exchange 2016 server that I'm using for webmail access as well as hosting our website.  I have a rewrite rule to redirect http traffic to https. 

<rule name="Redirect to HTTPS" stopProcessing="true"><match url="(.*)" /><conditions><add input="{HTTPS}" pattern="^OFF$" /></conditions><action type="Redirect" url="https://{HTTP_HOST}/{R:1}" redirectType="Permanent" /></rule>

The rule works fine, however I'm running into issues with some of the services that run related to Exchange.  Powershell scripts connecting to exchange don't work and some other items I noticed in the log files.  I've posted some snippets from the logs below.  I guess my question, is there any modifications or tweaks to the rewrite rule that can be done that won't affect Exchange?  The only option I can think of is to create a separate site in IIS to move the regular website to and leave the default website with Exchange. 

2020-01-06 00:00:15 192.168.1.37 GET /powershell ping=probe&CorrelationID=<empty>; 443 - 192.168.1.37 - - 401 111 0 13

2020-01-06 00:00:25 127.0.0.1 GET /PowerShell/ &CorrelationID=<empty>; 443 - 127.0.0.1 AMProbe/Local/ClientAccess - 401 111 0 15

2020-01-06 23:59:58 fe80::5ddd:2033:9069:dd92%6 RPC_IN_DATA /rpc/rpcproxy.dll 45c1e908-7e0c-45fe-8022-8c37565c241d@domain.com:6001&CorrelationID=<empty>;&RequestId=ff81bd3b-231a-43da-90de-689d467a0755&cafeReqId=ff81bd3b-231a-43da-90de-689d467a0755; 443 - fe80::5ddd:2033:9069:dd92%6 MSRPC - 401 1 2148074254 1

2020-01-06 23:59:58 fe80::5ddd:2033:9069:dd92%6 RPC_OUT_DATA /rpc/rpcproxy.dll 45c1e908-7e0c-45fe-8022-8c37565c241d@domain.com:6001&CorrelationID=<empty>;&RequestId=68615a29-35b5-464f-b7e0-aa2261c1f380&cafeReqId=68615a29-35b5-464f-b7e0-aa2261c1f380; 443 - fe80::5ddd:2033:9069:dd92%6 MSRPC - 401 1 2148074254 0

Any suggestions or thoughts on other options?

Thanks in advance!

Josh

Unable to download the Web Platform product list. Check your network connection and try again. If the problem persists, report the issue on the Web Platform Installer forum at: http://go.microsoft.com/fwlink/?LinkId=145244.
Details:
'doctype' is an unexpected token. The expected token is 'DOCTYPE'. Line 1, position 3.

Unable to download the Web Platform product list. Check your network connection and try again. If the problem persists, report the issue on the Web Platform Installer forum at: http://go.microsoft.com/fwlink/?LinkId=145244.
Details:
'doctype' is an unexpected token. The expected token is 'DOCTYPE'. Line 1, position 3.

System.InvalidOperationException: Unable to download the Web Platform product list. Check your network connection and try again. If the problem persists, report the issue on the Web Platform Installer forum at: http://go.microsoft.com/fwlink/?LinkId=145244.
Details:
'doctype' is an unexpected token. The expected token is 'DOCTYPE'. Line 1, position 3. ---> System.Xml.XmlException: 'doctype' is an unexpected token. The expected token is 'DOCTYPE'. Line 1, position 3.
at System.Xml.XmlTextReaderImpl.Throw(Exception e)
at System.Xml.XmlTextReaderImpl.Throw(String res, String[] args)
at System.Xml.XmlTextReaderImpl.ThrowUnexpectedToken(String expectedToken1, String expectedToken2)
at System.Xml.XmlTextReaderImpl.ParseDoctypeDecl()
at System.Xml.XmlTextReaderImpl.ParseDocumentContent()
at System.Xml.XmlTextReaderImpl.Read()
at System.Xml.XmlLoader.Load(XmlDocument doc, XmlReader reader, Boolean preserveWhitespace)
at System.Xml.XmlDocument.Load(XmlReader reader)
at Microsoft.Web.PlatformInstaller.LineInfoDocument.Load(XmlReader reader)
at System.Xml.XmlDocument.Load(TextReader txtReader)
at Microsoft.Web.PlatformInstaller.ProductManager.LoadDocument(String xmlPath)
at Microsoft.Web.PlatformInstaller.ProductManager.LoadFromXml(String xmlFile, Boolean loadEnclosures)
at Microsoft.Web.PlatformInstaller.ProductManager.Load(Uri productFileUrl, Boolean filterByArchitectureAndOS, Boolean loadEnclosures, Boolean useCachedVersion, String cacheDirectory, Architecture architecture, Int32 osType)
at Microsoft.Web.PlatformInstaller.ProductManager.LoadExternalFile(Uri uri)
at Microsoft.WebMatrix.Gallery.ProductManagerFactory.Create(Uri primaryFeed, IEnumerable`1 customFeeds, EventHandler`1 updateAvailableHandler)
at Microsoft.WebMatrix.Gallery.OnlineFeedLoader.Load()
at Microsoft.WebMatrix.Gallery.FeedLoader.EnsureLoaded()
at Microsoft.WebMatrix.Gallery.OnlineFeedLoader.get_ApplicationKeywordDictionary()
at Microsoft.WebMatrix.Gallery.WebMatrixProductService.get_ApplicationKeywordDictionary()
at Microsoft.WebMatrix.Gallery.DependencyServiceImpl.<EnsureFeedWithWaitDialogUIInternal>b__b()
at System.Threading.Tasks.Task.InnerInvoke()
at System.Threading.Tasks.Task.Execute()
--- End of inner exception stack trace ---
at Microsoft.WebMatrix.Gallery.DependencyServiceImpl.EnsureFeedWithWaitDialogUIInternal(String waitDailogMessage)
at Microsoft.WebMatrix.Gallery.DependencyServiceImpl.<>c__DisplayClass9.<EnsureFeedWithWaitDialogUI>b__8()
at Microsoft.WebMatrix.Core.TaskServiceImplementation.<>c__DisplayClass19.<DispatcherInvoke>b__18()
at Microsoft.WebMatrix.Core.TaskServiceImplementation.DispatcherInvokeInternal[U](DispatcherPriority priority, Func`1 method)
at Microsoft.WebMatrix.Core.TaskServiceImplementation.DispatcherInvoke(DispatcherPriority priority, Action method)
at Microsoft.WebMatrix.Gallery.DependencyServiceImpl.EnsureFeedWithWaitDialogUI(String waitDailogMessage)
at Microsoft.WebMatrix.Gallery.WebMatrixProductDependency.GetDependencies(IEnumerable`1 dependencyIds, IServiceProvider serviceProvider)
at Microsoft.WebMatrix.Gallery.WebMatrixProductDependency.GetDependencies(DependencyTypes dependencyTypes, IServiceProvider serviceProvider)
at Microsoft.WebMatrix.Gallery.DependencyServiceImpl.EnsureDependencies(DependencyTypes dependencyTypes, String ensureDependenciesMessage)

Hello, 

1- My environment: I am running two PHP (Version 5.6.31) websites e.g.(website1&website2) on IIS 10 on windows server 2016. I have 3 PHP versions added to the Handler mapping. I have HTTP to HTTPS redirect rules added to both websites. 

2- My problem: After running the server for sometime for example 12 hours, website2 only, stops serving php content while it keeps serving html pages only. At the same timewebsite1 is serving php & html properly with no issues at all. Please note that everything runs fine at the initial state, this happen after sometime of website running.

3- Condition: *This problem happen to website2 only while it is being served onHTTPS ONLY, while the problem is solved while it is onHTTP. Problem only happening with website2 while website1 has no issue at all either cases.Website2 has more traffic than website1.

4- Extra information: as per google analytics for October 19 website1 has ( 94 Sessions & 409 Page Views)  whilewebsite2 has (7000+ Sessions & 15000+ Page Views)

5- IIS & browser behavior: I can see all php requests on IIS Worker Processes freezing forever. Browser keeps loading also for ever with no error code, just loading and loading.

6- Temporally solution: I am restating the whole IIS server to solve it, and it runs for sometime and then it happens again. Restating thewebsitse2 it self or the application pool forwebsite2 is not solving the problem at all. I have to restart the whole IIS server.

I not that much experienced with IIS and PHP and servers.

Please I need you help, I spend a lot of time asking here and there and hitting everywhere with no luck because I was not describing my problem properly. Today I figured how it behave by putting two pages one is pure html and the other one is pure PHP while the problem is happening.

Thank you in advance <3,

Hi,

We have an intermittent issue on our production windows server 2016 with IIS version 10 where one of the page fetch fails with SC-win32-status as 64 and next subsequent hits works fine though. 

Ex: 

2019-12-30 13:08:40 10.129.6.183 POST /eCI/XMSCall/CallStart.ashx - 80 - 10.129.96.61 OpenVXI/3.0 http://localhost/eCI/VXML/eONEMS_Inbound.vxml 200 0 64 22673

Everytime issue happens with this page which is POST resulting in SC-win32-status as 64. As per wireshark capture, issue seems to be on IIS end as we noticed IIS not sending an expect 100 - continue but for the next calls, we see IIS sending 100 continue. This issue we see happening on 4 of our production window servers.

Can you please help us resolve the issue?

Thanks

Hi there,

We have an application that is  using the IIS 8.5 FTP server for the ftp site for transferring files between the server and client. In some cases, we'll see the client has gone through all of the handshaking process and ready to be receiving the file. However, after some time, could be 30 seconds or couple of minutes, the ftp server would send status back to client indicating sc-status of 550, sc-win32-status of 995, and sc-substatus of 50. From the following site (https://support.microsoft.com/en-us/help/969061/the-ftp-7-0-status-codes-in-iis-7-0), the substatus code of 50 means: 

Data channel timed out due to not meeting the minimum bandwidth requirement.

But before and after this was happening, the client was able to successfully download other files in a whole file set (4 - 5 files). So how this would happen? And how we can resolve this? So far, we've only seen this issue in IIS 8.5 (Win 8.1). We've used the same applications on Win XP with older version of IIS; but we've never noticed this problem. 

Thanks for any helps I can get in advance!

Buonasera,

continua ad uscire questa scritta quando provo a scaricare gli elementi presenti sul mio sito in WebMatrix.

Come posso risolvere?

Impossibile scaricare l'elenco di prodotti dalla piattaforma Web. Verificare la connessione di rete e riprovare. Se il problema persiste, segnalarlo nel forum dell'Installazione guidata piattaforma Web all'indirizzo http://go.microsoft.com/fwlink/?LinkId=145244.
Dettagli:
'doctype' è un token imprevisto. Il toke previsto è 'DOCTYPE'. Riga 1, posizione 3.

Impossibile scaricare l'elenco di prodotti dalla piattaforma Web. Verificare la connessione di rete e riprovare. Se il problema persiste, segnalarlo nel forum dell'Installazione guidata piattaforma Web all'indirizzo http://go.microsoft.com/fwlink/?LinkId=145244.
Dettagli:
'doctype' è un token imprevisto. Il toke previsto è 'DOCTYPE'. Riga 1, posizione 3.

System.InvalidOperationException: Impossibile scaricare l'elenco di prodotti dalla piattaforma Web. Verificare la connessione di rete e riprovare. Se il problema persiste, segnalarlo nel forum dell'Installazione guidata piattaforma Web all'indirizzo http://go.microsoft.com/fwlink/?LinkId=145244.
Dettagli:
'doctype' è un token imprevisto. Il toke previsto è 'DOCTYPE'. Riga 1, posizione 3. ---> System.Xml.XmlException: 'doctype' è un token imprevisto. Il toke previsto è 'DOCTYPE'. Riga 1, posizione 3.
in System.Xml.XmlTextReaderImpl.Throw(Exception e)
in System.Xml.XmlTextReaderImpl.Throw(String res, String[] args)
in System.Xml.XmlTextReaderImpl.ThrowUnexpectedToken(String expectedToken1, String expectedToken2)
in System.Xml.XmlTextReaderImpl.ParseDoctypeDecl()
in System.Xml.XmlTextReaderImpl.ParseDocumentContent()
in System.Xml.XmlTextReaderImpl.Read()
in System.Xml.XmlLoader.Load(XmlDocument doc, XmlReader reader, Boolean preserveWhitespace)
in System.Xml.XmlDocument.Load(XmlReader reader)
in Microsoft.Web.PlatformInstaller.LineInfoDocument.Load(XmlReader reader)
in System.Xml.XmlDocument.Load(TextReader txtReader)
in Microsoft.Web.PlatformInstaller.ProductManager.LoadDocument(String xmlPath)
in Microsoft.Web.PlatformInstaller.ProductManager.LoadFromXml(String xmlFile, Boolean loadEnclosures)
in Microsoft.Web.PlatformInstaller.ProductManager.Load(Uri productFileUrl, Boolean filterByArchitectureAndOS, Boolean loadEnclosures, Boolean useCachedVersion, String cacheDirectory, Architecture architecture, Int32 osType)
in Microsoft.Web.PlatformInstaller.ProductManager.LoadExternalFile(Uri uri)
in Microsoft.WebMatrix.Gallery.ProductManagerFactory.Create(Uri primaryFeed, IEnumerable`1 customFeeds, EventHandler`1 updateAvailableHandler)
in Microsoft.WebMatrix.Gallery.OnlineFeedLoader.Load()
in Microsoft.WebMatrix.Gallery.FeedLoader.EnsureLoaded()
in Microsoft.WebMatrix.Gallery.OnlineFeedLoader.get_ApplicationKeywordDictionary()
in Microsoft.WebMatrix.Gallery.WebMatrixProductService.get_ApplicationKeywordDictionary()
in Microsoft.WebMatrix.Gallery.DependencyServiceImpl.<EnsureFeedWithWaitDialogUIInternal>b__b()
in System.Threading.Tasks.Task.InnerInvoke()
in System.Threading.Tasks.Task.Execute()
--- Fine della traccia dello stack dell'eccezione interna ---
in Microsoft.WebMatrix.Gallery.DependencyServiceImpl.EnsureFeedWithWaitDialogUIInternal(String waitDailogMessage)
in Microsoft.WebMatrix.Gallery.DependencyServiceImpl.<>c__DisplayClass9.<EnsureFeedWithWaitDialogUI>b__8()
in Microsoft.WebMatrix.Core.TaskServiceImplementation.<>c__DisplayClass19.<DispatcherInvoke>b__18()
in Microsoft.WebMatrix.Core.TaskServiceImplementation.DispatcherInvokeInternal[U](DispatcherPriority priority, Func`1 method)
in Microsoft.WebMatrix.Core.TaskServiceImplementation.DispatcherInvoke(DispatcherPriority priority, Action method)
in Microsoft.WebMatrix.Gallery.DependencyServiceImpl.EnsureFeedWithWaitDialogUI(String waitDailogMessage)
in Microsoft.WebMatrix.Gallery.WebMatrixProductDependency.GetDependencies(IEnumerable`1 dependencyIds, IServiceProvider serviceProvider)
in Microsoft.WebMatrix.Gallery.WebMatrixProductDependency.GetDependencies(DependencyTypes dependencyTypes, IServiceProvider serviceProvider)
in Microsoft.WebMatrix.Gallery.DependencyServiceImpl.EnsureDependencies(DependencyTypes dependencyTypes, String ensureDependenciesMessage)

Hi all,

I'll try and be brief, but a little background first.  I have Exchange 2016 installed on windows server 2016 with IIS 10.  I am using this server for exchange and webmail (webmail.domain.com).  I am also using this server for a lightly used website (domain.com). 

Since Exchange is using MAPI over http(s) for default Outlook connections vs. RPC in Exchange 2010 the IIS logs have A LOT more data and information in them than before.  As a possible solution I created a separate website in IIS to move (domain.com) to and then setup the default website to only respond to the address (webmail.domain.com).  This worked for static pages, but as I discovered there are other powershell and dynamic pages related to Exchange 2016 that link back to (domain.com).  So after I set this up Outlook Web Access no longer worked correctly and I was getting 404 errors in the log files of the new site I setup.

I guess my question is, is there anyway to set this configuration up where Exchange would be happy and OWA works properly?  Or is there a way to redirect or separate log traffic for (domain.com) to a separate log file so it can be more easily analyzed?  The only way I can think of making this work is to leave Exchange on the default website, create a separate website in IIS that responds to (sub.domain.com) and move the separate website (domain.com) to (sub.domain.com).

Any thoughts or feedback is appreciated!

Thanks

Josh

Hello everyone.

I need to create a Scheduled Task through an ASP page.

I have privilege as an Administrator and can even create a task, but when performing this task, nothing happens. I created a simple ASP script to send an email when the task was executed. Changing the user of this task to System in "When performing the task, use the following user account", the task runs perfectly. It seems that the user "Administrator" does not have all the privileges.

Follows code:

linha_exe ="""'C:\windows\system32\WindowsPowerShell\v1.0\powershell.exe' \""Start-Process-FilePath https://url/envio.asp""""""

comando ="SCHTASKS /CREATE /TN ""teste"""/SC ONCE /F /RU ""Administrator""/RP ""******""/NP /RL HIGHEST /SD "07/01/2020"/ST "17:00:00"/TR "&linha_exe

Set objShell = CreateObject("WScript.Shell")
Set objExec = objShell.Exec("cmd /c " & comando)
Set objStdOut = objExec.StdOut

Could anyone tell me how to create this task to run as System?

Receiving the following error when trying to migrate between 2 IIS 10 servers (server 2016 to server 2019):

Error Code: ERROR_NOT_SUPPORTED
More Information: Server Name Indication (SNI) and Centralized SSL Certificates Support store (CCS) bindings are only supported on IIS 8 or later. Learn more at: http://go.microsoft.com/fwlink/?LinkId=221672#ERROR_NOT_SUPPORTED.
Error count: 1.

Both servers are IIS 10 or later and have identical installed services/features.

Please advise ASAP.

I am new to IIS .... changing over from Apache.

I have set up everything on a new server running Server 2019.  The website has been added but I can't get it to come up.

Ports are open (80 and 443) and IUSR has been added to the user group.

Checked the binding and the basic settings.  Everything seems to be correct...... but, I can't get it to come up in the browser. 

Also tried bringing it up using "LocalHost" without success.

Hoping someone can point me in the right direction.

Thanks

My usual tricks aren't helping. I've been managing two Windows 2008R2 web servers for a 8 years, with a Shared configuration on UNC path, that host about 3000 small web sites.

I am moving our sites to Windows 2019, UNC shared configuration, and roughly 2000 sites.

But, WAS will fail to start (or restart) with more than ~70 sites configured.

This occurs when I copy/paste valid XML into the shared applicationHost.config, or add sites via appcmd or New-WebSite

The applicationHost.config is almost 40k lines in length, properly formatted XML.

If this configuration is used LOCALLY, then WAS will restart nicely and all sites work!

If I put this shared configured on a UNC path, it will work UNTIL WAS restarts. I can bulk add many sites, they function, up until a WAS restart.

If I add comments blocks to disable applicationHost.config  between lines 1031 and and 38518, then WAS will start!

But when I comment out lines 1649 to 38518, then WAS fails with

net start was

The Windows Process Activation Service service is starting.
The Windows Process Activation Service service could not be started.

A system error has occurred.

System error 5 has occurred.

Access is denied.

Event viewer says...
Event ID 5189
The Windows Process Activation Service failed to generate an application pool config file for application pool '*'. The error type is '0'. To resolve this issue, please ensure that the applicationhost.config file is correct and recommit the last configuration changes made. The data field contains the error number.

Procmon shows ACCESS DENIED on C:\inetpub\temp\appPools\APCD26B.tmp

BUT I have allowed the IUSR specified to have Modify permission on this folder.

Last weird clue... the intent is to have \\web1 and \\web2 used the Shared Config on \\unc

When the shared config is on \\unc, both servers suffer this error with larger applicationHost.config, but work ok with smal shared config.

BUT if I place the shared config on \\web1, and have \\web1 used shared config on its own share, WAS can start on \\web1 with all sites enabled!

But WAS will fail on \\web2, pointing to shared config on \\web1

It almost feels like an obscure XML parsing failure over UNC with a larger file. I am hoping there is some other avenue to be suggested. Ideas?

Thanks!

I have tried to add ASP.NET Component in IIS 6.1 From the Control Panel, click Programs and then click Turn Windows features on or off which is listed under Programs and Features, Checked IIS options. While it is saving getting following error :

An error has occurred. Not all of the features were successfully changed

What are the Security risks of giving write access to IIS_IUSRS group or custom identity account on the Document Root or a sub folder? 

I was writing a security SOP and asking my app team to avoid writing anything with in Document Root or its Sub folder, but use a different folder out of Document Root. But wanted to know what the Community Members view was. 

Couple reasons that popped in my head:
- If the files being written in DocumentRoot/Sub Folder becomes accessible over the web (more risk when the URL pattern is guessable).  
- If there is any upload facility, end users can upload malicious asp/aspx files and execute in our servers.  (i can imagine the asp/aspx page to do a lot of damage - unauthorized access of data/tamper the data/delete it)

thanks in advance