Describes the application pool for IIS 7.5 and the new "virtual account" attribute _win server

Starting with Windows 7 and Windows Server 2008 R2, two special account types are added, "Managed service accounts (Managed services Accounts)" and "virtual accounts (accounts)" to effectively Isolating various network services to enhance security, I will focus today on the actual usage and paradigm between IIS 7.5 and virtual accounts.

To learn to set up IIS be sure to familiarize yourself with the relationship between the application area (application Pool) and the Identity (identity), and we all know that IIS6 and IIS7 preset application set area identification are network SERVICE This system account, but network service This account is not only used by IIS, there are many other systems in the network-related services are also used as a network service, the identity of the operation, For example: SQLEXPRESS service.

This also means that even if IIS does not fall, it could potentially affect the operation of IIS as long as there are other Internet services that use the network service. So you may not feel it, I say. Conversely, if IIS is implanted with Trojans, hackers can use the network SERVICE to download your SQLEXPRESS database backup files, delete backup files, delete or download the database you have temporarily removed, Even steal to upload another set of databases, so you have absolutely no idea what's going on.

Due to the time and space I can not say too much, if there is a chance I could do a lot of live show, package you eye-opening, information security is really profound, do not understand the various details and principles of people are always in the fog to see flowers.

With the concept of "virtual account", a variety of network services do not need to share the same set of network Service identity, or even the same IIS under the individual different application sets can be separated from the full area of the "virtual account" to execute the WEB application, in addition to Work Handlers (Worker Process) (w3wp.exe) The execution of the identity can be completely cut out, for different platforms operating files or directories can also be set NTFS permissions to do a valid partition, so that different work processes between the system or file security to minimize the impact, very meaningful!

First, let's take a look at the [advanced setting] of the DefaultAppPool application set in IIS 7.5

Here you will see IIS 7.5, the new applicationpoolidentity built-in account, which is a special "virtual account" for IIS 7.5.

When our asp.net program needs to upload or write files to the Web Server, we have to set NTFS permissions on the directory so that the work handler can write to the file, in the past we have to set the network SERVICE account, But now you want to enter a special set of "virtual accounts", when we set up permissions, "virtual account" cannot be selected , you can only manually enter this special set of account names, the IIS application set virtual account name is represented by: "IIS AppPool \ Application assembly name , such as the built-in application name, is called "IIS apppool\DefaultAppPool" If you add a new application set named Myapppool, the virtual account notation is: "IIS apppool\myapppool."

As shown below, you need to manually enter a virtual account account number when you set NTFS permissions to select Users

When you press [check name] or [check Names], the name "bottom line" means that the "virtual account" is valid:

Finally, let's take a look at the execution identity of the work handler (w3wp.exe) rendered in the [work manager] is also the identity of the virtual account DefaultAppPool .

I think the concept of virtual accounts is really great, in the future, when you set up multiple platforms, you do not need to add a bunch of meaningless system accounts or manually manage the password and expiration date of this heap system account, but also enhance the manageability of the system, when you do not need a virtual account, you can also choose the original NetworkService or Account execution is specified.

---

Although virtual accounts are present in Windows 7 and Windows Server 2008 R2, Windows Server 2008 also supports the setting of virtual accounts after updating to Service Pack 2 (SP2), just by my The test found that Windows Server 2008 SP2, although there are support virtual accounts, will also see the applicationpoolidentity option in the Application assembly area [Advanced Settings] window of IIS 7, but in the archive Explorer

‧ Set the uploadfiles directory to grant IIS AppPool\defaultapppool Virtual account Full Control privileges

"IIS apppool\defaultapppool": F

RELATED LINKS

• Service Accounts Step-by-Step Guide
• Application Pool Identities
• IIS7 in Windows Server 2008 R2
• Service Pack 2 for Windows Server 2008 and Windows Vista
• IIS 7 Technical Articles List
• New in IIS 7-app Pool isolation
• What is your AppPool running as?
• Display Virtual User Accounts in Permission Dialog | Microsoft Connect