Application Pool Identities

Source: Internet
Author: User
Tags classic asp

Introduction

Whether you is running your site on your own server or in the cloud, security must is at the top of the your priority list. If So, you'll be happy to hear this IIS has a security feature called the application pool identity. This feature is introduced in Service Pack 2 (SP2) of Windows Server and Windows Vista. An application pool identity allows your to run an application pool under a unique account without have to create and man Age domain or local accounts. The name of the application pool account corresponds to the name of the application pool. The image below shows an IIS worker process (W3wp.exe) running as the DefaultAppPool identity.

Application Pool Identity Accounts

Worker processes in IIS 6.0 and in IIS 7 run as Network Service by default. Network Service is a built-in Windows identity. It doesn ' t require a password and has only user privileges; That's, it is relatively low-privileged. Running as a low-privileged account was a good security practice because then a software bug can ' t being used by a malicious u Ser to take over the whole system.

However, a problem arose over time as and more Windows system services started to run as Network Service. This was because services running as Network Service can tamper with other services, that run under the same identity. Because IIS worker processes run Third-party code by default (Classic ASP, ASP, PHP code), it is time to isolate IIS Worker processes from the other Windows system services and run IIS worker processes under unique identities. The Windows operating system provides a feature called "virtual accounts" that allows IIS to create a unique identity for Each of its application pools. Click herefor more information about Virtual Accounts.

Configuring IIS Application Pool Identities

If you're running IIS 7.5 on Windows Server R2, or a later version of IIS, you don ' t have the New identity. For every application pool you create, the Identity property of the new application pool is set toapplicationpoolidentity By default. The IIS Admin Process (WAS) would create a virtual account with the name of the new application pool and run the Applicatio N Pool ' s worker processes under this account by default.

To the "This virtual account" when running IIS 7.0 on Windows Server. Plication pool that's create to applicationpoolidentity. Here's how:

    1. Open the IIS Management Console (INETMGR. MSC).
    2. Open the application Pools node underneath the machine node. Select the application pool you want to change to run under an automatically generated application pool identity.
    3. Right click the application pool and select Advanced Settings ...

    4. Select the Identity list item and click the ellipsis (the button with the three dots).
    5. The following dialog appears:

    6. Select the built-in Account button, and then select the identity type applicationpoolidentity from the combo box.

The same step by using the-command-line, you can call the Appcmd command-line tool the following the

%windir%\system32\inetsrv\appcmd.exe set AppPool <your AppPool> -processModel.identityType:ApplicationPoolIdentity

Securing Resources

Whenever a new application pool is created, the IIS management process creates a security identifier (SID) that represents The name of the application pool itself. For example, if you create a application pool with the name "Mynewapppool," a security identifier with the name "Mynewapp Pool "is created in the Windows Security system. From this, the resources can be secured by using the this identity. However, the identity isn't a real user account; It won't show as a user in the Windows user Management Console.

You can try this by selecting a file in Windows Explorer and adding the "DefaultAppPool" identity to the file ' s Access Con Trol List (ACL).

    1. Open Windows Explorer
    2. Select a file or directory.
    3. Right click the file and select Properties
    4. Select The Security tab
    5. Click the Edit button and then Add button
    6. Click the Locations button and make sure this you select your computer.

    7. Enter IIS Apppool\defaultapppool in the Enter the object names to Select:text box.
    8. Click the Check Names button and click OK.

By doing this, the file or directory selected would now also allow the DefaultAppPool identity access.

You can do this via the command-line by using the ICACLS tool. The following example gives full access to the DefaultAppPool identity.

ICACLS test.txt /grant "IIS AppPool\DefaultAppPool":F

For more information, see ICACLS.

On Windows 7 and Windows Server R2, and later versions of Windows, the default was to run application pools as the app Lication Pool identity. To make this happen, a new identity type with the name "Apppoolidentity" was introduced. If the "apppoolidentity" Identity type is selected (the default on Windows 7 and Windows Server R2, and later), IIS W Ill run worker processes as the application pool identity. With every other identity type, the security identifier is only being injected into the access token of the process. If The identifier is injected, content can still being acled for the applicationpoolidentity, and the owner of the token is P Robably not unique. Here's an article, explains this concept.

Accessing the Network

The Using the Network Service account in a domain environment has a great benefit. Worker process running as network Service access the Network as the machine account. Machine accounts was generated when a machine was joined to a domain. They look like this:

<domainname>\<machinename>$,  

For example:

mydomain\machine1$

The nice thing, about the "is", the network resources like file shares or SQL Server databases can are acled to allow this MA Chine account access.

What's about application POOL identities?

The good news is this application pool identities also use the machine account to access network resources. No changes is required.

Compatibility issues with application Pool identitiesguidance documentation

The biggest compatibilty issue with application pool identities is probably earlier guidance documents which explicitly re Commend. ACL Resources for Network Service, which is, the default identity of the DefaultAppPool in IIS 6.0 and IIS 7.0. Customers'll has to the change their scripts to ACL for "IIS Apppool\defaultapppool" (or another application pool Nam e) When running is on IIS 7.5 or later (see the example above for how to does this).

USER profile

IIS doesn ' t load the Windows user profile, but certain applications might take advantage of it anyway to store temporary d Ata. SQL Express is an example of a application that does. However, a user profile have to is created to store temporary data in either the Profiles directory or in the registry hive. The user profile for the Network Service account is created by the system and is always available. However, with the switch to the unique application Pool identities, no user profiles is created by the system. The standard application pools (DefaultAppPool and Classic. NET apppool) has user profiles on disk. No User profile is created if the Administrator creates a new application pool.

However, if you want, you can configure IIS application pools to load the user profiles by setting the LoadUserProfile attr Ibute to "true".

Summary

Application pool identities is a powerful new isolation feature introduced for Windows Server, Windows Vista, and LA ter versions of Windows. It'll make running IIS applications even more secure and reliable.

Application Pool Identities

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.