The mysterious applicationpoolidentity no longer need mom to worry about the program pool is safe.

Source: Internet
Author: User

In IIS 7 and IIS 7.5, we can set a special identity (user ID) for the application pool: applicationpoolidentity. So what exactly does this logo mean? What is it exactly? I'll tell you the answer to that.

This identity setting will dynamically generate a user identity when the application pool is started, which only has access to the root of the Web site, which can further guarantee the security of the server.

As Administrators and developers, you need to understand the features of this setting.

Video Address

http://www.tudou.com/programs/view/9R-5nGHQLvg/

Text handouts:

IIS7.5 (win7,win2008 sp2,win2008 R2 support only), the running account for the application pool, in addition to the three basic types designated as Localservice,localsystem,networkservice, There is also a new applicationpoolidentify

That's what Win7 's official help says:

applicationpoolidentity– By default, the application pool identity account is selected. The application pool identity account is created dynamically when the application pool is started, so this account is the safest for your application.

That is, "applicationpoolidentity" account is the system dynamically created "virtual" account (said it is virtual, because in the user management can not see the user or user group, the command line input NET user can not be displayed, but the account is a real existence)

How do I verify that the account does exist? Open Task Manager and observe:

W3wp.exe, which is the IIS process, highlights that the IIS process is running as an account luckty (note that luckty here is the application pool name in)


Okay, what's the use of figuring this out?

First to do a test, for example, we create a new site in IIS, the home directory is set to C:\2\, the application pool to specify just the Luckty in the diagram

Suppose we write this line of code in the Default.aspx.cs of the site:

File.appendalltext ("C:\\testdir\\1.txt", DateTime.Now.ToString ());

The premise is that C-disk must first build a directory TestDir, and in addition to Administrator,system retain full Control, other account permissions are deleted

After running, the exception is indicated: access to the path "C:\TestDir\1.txt" is denied.

The reason is obvious: the site runs as a virtual account corresponding to the application pool (luckty), and this virtual account does not have C:\TestDir access

This situation in the Web server (IIS6) security configuration is very common, for example, we upload the image directory, often placed outside the home directory, while the virtual directory in the form of hanging under the site, and in the IIS6 do not specify any execution permissions in the directory, so that even if someone illegally uploaded asp/aspx Trojan up, It's not going to work!

To get to the point, to let that line test code normal operation, the solution is very simple, the permissions of the virtual account is added to the folder security permissions can be, but the problem is: This virtual account we are not visible, if you directly add a user named Luckty to the folder security account, simply can't pass ( Luckty user not found), this virtual account name is not "Luckty"


Key: Manually Enter IIS Apppool\luckty (that is, the IIS apppool\ application pool name), and then OK, this is OK.


Of course, in addition to using the "IIS apppool\ application pool name", there is a special user group inside Windows Authenticated users, adding this group to TestDir's security account, but personally feel that there is no "IIS Apppool\ Application pool name "is accurate.


Conclusion:
traditional IIS6, in order to separate the site permissions on the same server (to prevent Trojan), have to create a bunch of iuser_xxx,iwam_xxx account and specify the password, and then a site allocation past, exhausted people! and the IIS7.5 virtual account design makes this kind of management much easier, and does not have to worry about password too simple or outdated issues. So, still waiting for what, hurriedly upgrade to win7/win2008 R2 bar!

The mysterious applicationpoolidentity no longer need mom to worry about the program pool is safe.

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.