Iis7 built-in account, application pool

In IIS versions earlier than iis7, there is a local account created during installation, called IUSR_machinename. Once anonymous identity authentication is enabled, this IUSR_machinename account is the default identity used by IIS, which is used in both FTP and HTTP Services. There is also a group called iis_wpg, which is a group of all applications.ProgramThe container of the pool account. During IIS installation, you must ensure that all available system resources have been set with appropriate permissions for iis_wpg. When the Administrator creates a new application pool account, you only need to add the new account (ID) to this group.

This model works well, but like any other design, they have their shortcomings. The main drawback is that the IUSR_machinename account and the iis_wpg group are both local for the systems where they are created. In Windows, each account or group has a unique number called Sid (Security Identification number Security Identifiers), which can be different from other accounts or groups.

In IIS 7.0:

1. the IUSR built-in account replaces the IUSR_machinename account.
2. iis_iusrs internal group creation replaces iis_wpg Group

Because IUSR is a built-in account, it no longer requires a password. Logically, you can think of it as a NetworkService or LocalService account.

The application pool (w3wp.exe worker process) is run as the user we specify. IIS needs to use this user identity to access various system resources and network resources, such as accessing disk resources, executing certain system functions, and access registers, and access network resources. By default, IIS uses a network service account. This account has limited access permissions to the Web server and network, but has full permissions when running standard Web websites.

IIS 7.0 provides three built-in accounts. In addition, you can create custom accounts. Built-in accounts include: network service, Local Service, and local system

1. The default user of the application pool is the built-in network service account. The Network Service account has only the minimum access permission to the local computer and network resources.
2. The built-in local service account cannot access network resources as the network service account does, but has the permission to access local resources similar to the network service account.
3. The built-in local SYSTEM account has full access permissions to the local system. However, when using the local system account, be careful to avoid using this account as much as possible. When an unauthorized user browses a website on the server, or when an unauthorized user uploads his or her own content, if the application pool runs as a local system account, this user can perform any operations on the Web server.

You need to use the application pool identity to access a network resource-if you need to access a network resourceYou can create a custom domain user and assign the user ID of the application pool to this custom user.. In this way, if a program running as the user ID of the application pool needs to access a network resource, the program uses this custom user identity to access network resources.

Creating an application pool for each website is a reasonable deployment method, especially if you need to run multiple web sites on one server. In this way, you canMake sure that each web application runs only in its own process, so that if an application fails, it will not affect other websites.
The application pool must be recycled from time to solve the application suspension problem. In addition, in this way, you can reload a website when a new file is added and IIS cannot know that a new file has been added.