Application pool identity

What exactly is the purpose of configuring IIS 6's application pools to run
under user accounts different from "network service"? It doesn't seem to
have any impact on ASP pages, as they are always executed under the user
account which is actually accessing the page.

If IIS is configured to allow anonymous access to a website using an account
called "AccountA" and the application pool used by the website is configured
to run using an account called "AccountB", an ASP page gets executed with
AccountA's credentials; I have verified this with pages that access a SQL
Server database using Windows integrated authentication, by only allowing
AccountA to login to the database.

So, what's the purpose of the application pool identity? What is actually
done with this account's credentials? How does it impact security on a web
server which is hosting several websites?


Massimo

Re: Application pool identity

Hi,

ASP.NET content (and other types of content) are processed using the web
application pool's identity (when impersonation is not enabled)

Classic ASP files and files handled by the IIS static file handler always
have "impersonation" enabled, and will be accessed by either the configure
Anonymous User account, or the account entered by the end user.

Cheers
Ken


"Massimo" wrote in message
news:e6nLDcYGIHA.936@TK2MSFTNGP06.phx.gbl...
> What exactly is the purpose of configuring IIS 6's application pools to
> run under user accounts different from "network service"? It doesn't seem
> to have any impact on ASP pages, as they are always executed under the
> user account which is actually accessing the page.
>
> If IIS is configured to allow anonymous access to a website using an
> account called "AccountA" and the application pool used by the website is
> configured to run using an account called "AccountB", an ASP page gets
> executed with AccountA's credentials; I have verified this with pages that
> access a SQL Server database using Windows integrated authentication, by
> only allowing AccountA to login to the database.
>
> So, what's the purpose of the application pool identity? What is actually
> done with this account's credentials? How does it impact security on a web
> server which is hosting several websites?
>
>
> Massimo
>

Re: Application pool identity

"Ken Schaefer" ha scritto nel messaggio
news:elmVlmeGIHA.5544@TK2MSFTNGP02.phx.gbl...

> ASP.NET content (and other types of content) are processed using the
> web application pool's identity (when impersonation is not enabled)
>
> Classic ASP files and files handled by the IIS static file handler always
> have "impersonation" enabled, and will be accessed by either the configure
> Anonymous User account, or the account entered by the end user.

So the application pool identity only has a meaning when ASP.NET pages are
involved?
Is it safe to leave it as default, or do you recommend configuring each
application pool (which in my case is used by a different website) to use a
different identity?
Are there guidelines and best practices to manage this?


Massimo

Re: Application pool identity

Hi,

Check the IIS Resource Kit (from Microsoft - available on the TechNet
website) for guidance on configuring these values.

If you need to strictly separate each website, then you will need to change
the identities. At the moment, code running in one process will be able to
access files that belong to the other process (because Network Service
requires access to the files). If you have two different groups of people
uploading content, and you want to prevent one group of users from being
able to read/alter the files of the other website, you'll need separate
identities (and appropriate CAS policies and NTFS permissions).

Microsoft also has a web hosting accelerator that provides guidance and
tools/scripts on configuring this.

Cheers
Ken

"Massimo" wrote in message
news:eApbf%23fGIHA.6068@TK2MSFTNGP05.phx.gbl...
> "Ken Schaefer" ha scritto nel messaggio
> news:elmVlmeGIHA.5544@TK2MSFTNGP02.phx.gbl...
>
>> ASP.NET content (and other types of content) are processed using the
>> web application pool's identity (when impersonation is not enabled)
>>
>> Classic ASP files and files handled by the IIS static file handler always
>> have "impersonation" enabled, and will be accessed by either the
>> configure Anonymous User account, or the account entered by the end user.
>
> So the application pool identity only has a meaning when ASP.NET pages are
> involved?
> Is it safe to leave it as default, or do you recommend configuring each
> application pool (which in my case is used by a different website) to use
> a different identity?
> Are there guidelines and best practices to manage this?
>
>
> Massimo
>
>

Re: Application pool identity

"Ken Schaefer" ha scritto nel messaggio
news:%23q3d%23GqGIHA.4880@TK2MSFTNGP03.phx.gbl...

> If you need to strictly separate each website, then you will need to
> change the identities. At the moment, code running in one process will be
> able to access files that belong to the other process (because Network
> Service requires access to the files). If you have two different groups of
> people uploading content, and you want to prevent one group of users from
> being able to read/alter the files of the other website, you'll need
> separate identities (and appropriate CAS policies and NTFS permissions).

Thought abous this, actually.
But the code is mainly classic ASP, and ASP pages are executed in the
context of the user actually accessing them, so maybe it's not so important;
I'll keep it in mind, anyway.

Thanks


Massimo

Re: Application pool identity

"Massimo" wrote in message
news:utsBGUsGIHA.5752@TK2MSFTNGP02.phx.gbl...
> "Ken Schaefer" ha scritto nel messaggio
> news:%23q3d%23GqGIHA.4880@TK2MSFTNGP03.phx.gbl...
>
>> If you need to strictly separate each website, then you will need to
>> change the identities. At the moment, code running in one process will be
>> able to access files that belong to the other process (because Network
>> Service requires access to the files). If you have two different groups
>> of people uploading content, and you want to prevent one group of users
>> from being able to read/alter the files of the other website, you'll need
>> separate identities (and appropriate CAS policies and NTFS permissions).
>
> Thought abous this, actually.
> But the code is mainly classic ASP, and ASP pages are executed in the
> context of the user actually accessing them, so maybe it's not so
> important; I'll keep it in mind, anyway.

In that case you should configure (at a very minimum) separate anonymous
user accounts (because context-less events, such as application_onEnd() run
as this user, rather than an authenticate end user)

If someone is able to call RevertToSelf() (e.g. in a component that is
called from your page), and this runs inside w3wp.exe process, then I belive
tat the thread will revert to the process's starting identity (which will be
the application pool's identity).

Cheers
Ken

Re: Application pool identity

"Ken Schaefer" ha scritto nel messaggio
news:%237Uc3ktGIHA.284@TK2MSFTNGP02.phx.gbl...

>> Thought abous this, actually.
>> But the code is mainly classic ASP, and ASP pages are executed in the
>> context of the user actually accessing them, so maybe it's not so
>> important; I'll keep it in mind, anyway.
>
> In that case you should configure (at a very minimum) separate anonymous
> user accounts (because context-less events, such as application_onEnd()
> run as this user, rather than an authenticate end user)

Already done; page access only happens anonymously, since no Windows
authentication is used, so there actually is a definite need for that.

> If someone is able to call RevertToSelf() (e.g. in a component that is
> called from your page), and this runs inside w3wp.exe process, then
> I belive tat the thread will revert to the process's starting identity
> (which
> will be the application pool's identity).

If I was to define separate application pool identities, should I create
wholly different user accounts or could the anonymous accounts used by IIS
do the job?
Also, what kind of permission/rights/group memberships do these accounts
need, beside (of course) read access to ASP files and anything needed for
the ASP scripts to run (i.e. database access)?
I saw the supplied default account (IWAM_MACHINENAME) is a member of the
debugger users group, is this actually needed? If the account I configure
isn't a member of this group, a COM error regarding the MDM component gets
sometimes logged in Windows' application event log.


Massimo