Why "NETWORK SERVICE" doesn't have permission on "C:\inetpub\wwwroot" by default?

I grant permission to NETWORK SERVICE manually to have access to C:\inetpub\wwwroot so ASP.NET can do something like reading and writing local files.

Is there a security reason this pe开发者_如何学JAVArmission has not been granted by default ?

It is due to the principle of defence in depth - not giving permissions unless explicitly granted.

Such defaults make for a more secure IIS and operating system.

Several years ago Microsoft went through a very large push towards securing windows by default - this setting is part of that push.

Per this article on MSDN:

The Network Service account has Read and Execute permissions on the IIS server root folder by default. The IIS server root folder is named Wwwroot. This means that an ASP.NET application deployed inside the root folder already has Read and Execute permissions to its application folders. However, if your ASP.NET application needs to use files or folders in other locations, you must specifically enable access.

usually on the web server just few folders are allowed to write to avoid potential security holes.