https://stackoverflow.com/questions/5437723/iis-apppoolidentity-and-file-system-write-access-permissions

Here's an issue with IIS 7.5 and ASP.NET that I've been researching and getting nowhere with. Any help would be greatly appreciated.

My question is: using ASP.NET in IIS 7.5, how does IIS and/or the operating system allow the web application to write to a folder like C:\dump when running under full trust? How is it that I don't have to explicitly add write access for the application pool user (in this case ApplicationPoolIdentity)?

This much I know:

  • In IIS 7.5, the default Identity for an Application Pool is ApplicationPoolIdentity.
  • ApplicationPoolIdentity represents a Windows user account called "IIS APPPOOL\AppPoolName", which is created when the Application Pool is created, where AppPoolName is the name of the Application Pool.
  • The "IIS APPPOOL\AppPoolName" user is by default a member of the IIS_IUSRS group.
  • If you are running under Full Trust, your web application can write to many areas of the file system (excluding folders like C:\UsersC:\Windows, etc). For example, your application will have access to write to some folders, like, C:\dump.
  • By default, the IIS_IUSRS group is not given read or write access to C:\dump (at least not access that is visible through the "Security" tab in Windows Explorer).
  • If you deny write access to IIS_IUSRS, you will get a SecurityException when trying to write to the folder (as expected).

So, taking all of that into account, how is write access granted to the "IIS APPPOOL\AppPoolName" user? The w3wp.exe process runs as this user, so what allows this user to write to a folder it doesn't seem to have explicit access to?

Please note that I understand this was probably done for the sake of convenience, since it would be a pain to grant a user access to every folder it needs to write to if you are running under Full Trust. If you want to limit this access, you can always run the application under Medium Trust. I am interested in finding out about the way the operating system and/or IIS allows these writes to take place, even though there appears to be no explicit file system access granted.

====

The ApplicationPoolIdentity is assigned membership of the Users group as well as the IIS_IUSRS group. On first glance this may look somewhat worrying, however the Users group has somewhat limited NTFS rights.

For example, if you try and create a folder in the C:\Windows folder then you'll find that you can't. The ApplicationPoolIdentity still needs to be able to read files from the windows system folders (otherwise how else would the worker process be able to dynamically load essential DLL's).

With regard to your observations about being able to write to your c:\dump folder. If you take a look at the permissions in the Advanced Security Settings, you'll see the following:

See that Special permission being inherited from c:\:

That's the reason your site's ApplicationPoolIdentity can read and write to that folder. That right is being inherited from the c:\ drive.

====

In a shared environment where you possibly have several hundred sites, each with their own application pool and Application Pool Identity, you would store the site folders in a folder or volume that has had the Users group removed and the permissions set such that only Administrators and the SYSTEM account have access (with inheritance).

You would then individually assign the requisite permissions each IIS AppPool\[name] requires on it's site root folder.

You should also ensure that any folders you create where you store potentially sensitive files or data have the Users group removed. You should also make sure that any applications that you install don't store sensitive data in their c:\program files\[app name] folders and that they use the user profile folders instead.

So yes, on first glance it looks like the ApplicationPoolIdentity has more rights than it should, but it actually has no more rights than it's group membership dictates.

IIS AppPool\LiveWebChat   需要注意的是,这里必须写完整的。只写一部分是找不到的,比如IIS AppPool\Liv,这里只能精确匹配查找

====

An ApplicationPoolIdentity's group membership can be examined using the SysInternals Process Explorer tool. Find the worker process that is running with the Application Pool Identity you're interested in (you will have to add the User Name column to the list of columns to display:

Open ProcessExplorer\procexp64.exe as Administrator and find the w3wp.exe process.

Check the security tab

IIS application pool access desktop denied的更多相关文章

  1. SharePoint Error occurred in deployment step 'Recycle IIS Application Pool': 0x80070005:拒绝访问

    错误出现的前提:多个用户在一台机器上做开发,使用非系统管理员账号时会出现,因为一般创建网站集时指定管理员为系统管理员: 使用 Visual Studio 2010 部署时报错:Error occurr ...

  2. 【Azure 云服务】在Cloud Service的代码中如何修改IIS Application Pool的配置呢? 比如IdleTimeout, startMode, Recycling.PeriodicRestart.Time等

    什么是 PaaS?Platform as a Service 平台即服务 (PaaS) 是云中的完整开发和部署环境,你可以使用其中资源交付内容,从基于云的简单应用到启用云的复杂企业应用程序皆可.你以即 ...

  3. How do I create an IIS application and application pool using InnoSetup script

    Create an IIS application. Create a new IIS application pool and set it's .NET version to 4. Set the ...

  4. Application Pool Identities

    Whether you are running your site on your own server or in the cloud, security must be at the top of ...

  5. 如何在Windows 2003+IIS6的环境下找回应用程序池(application pool)中的服务账号密码

    上一篇文章说了说如何在Win2008+iis7中取出SharePoint管理账号密码的方法. 整个过程简单的讲,就是通过使用要找回密码的账号用来在SharePoint中创建一个临时的Web Appli ...

  6. 排错技能:任务管理器中追踪某w3wp.exe是哪个IIS站点的application pool

    如果Windows的任务管理器中发现某个w3wp.exe占用了100%CPU,那我们就要揪出这是那个网站的application pool在作怪, 首先,每个站点一定要单独使用各自的applicati ...

  7. Access is denied

    昨天有学习ASP.NET MVC的publish和IIS发行网站<简单的ASP.NET MVC发布>http://www.cnblogs.com/insus/p/4466200.html  ...

  8. Parser Error Message: Access is denied【转】

    PRB: Access Denied Error When You Make Code Modifications with Index Services Running View products ...

  9. 批量启动application pool

    在powershell中执行 Get-ChildItem IIS:\AppPools | where {$_.state -eq "Stopped"} | Start-WebApp ...

随机推荐

  1. 大数据学习——mapreduce共同好友

    数据 commonfriends.txt A:B,C,D,F,E,O B:A,C,E,K C:F,A,D,I D:A,E,F,L E:B,C,D,M,L F:A,B,C,D,E,O,M G:A,C,D ...

  2. 实现List集合中数据逆序排列

    Collections.reverse(list); 实现list集合逆序排列

  3. asp.net 页面缓存、数据缓存

    页面缓存,webform框架的aspx页面,服务器引擎生成的页面可以被缓存.

  4. 在oracle下我们如何正确的执行数据库恢复

    标签:oracle 数据库 恢复 原创作品,允许转载,转载时请务必以超链接形式标明文章 原始出处 .作者信息和本声明.否则将追究法律责任.http://jiujian.blog.51cto.com/4 ...

  5. LeetCode:不同路径&不同路径II

    不同路径一个机器人位于一个 m x n 网格的左上角 (起始点在下图中标记为“Start” ). 机器人每次只能向下或者向右移动一步.机器人试图达到网格的右下角(在下图中标记为“Finish”). 问 ...

  6. hdu 2126背包问题

    /*有n件物品,旅客一共有m块大洋.第一个问题,旅客最多可以买多少件物品?请注意,这里是多少件,不是价值最大.所以这个非常好求,将所有的物品按照价值排序,先买便宜的,再买贵的.贪心的思想.这个地方有些 ...

  7. Ubuntu启用IPv6上google的方法

    Pv6就是我们通常所说的互联网协议,是TCP/IP的核心协议,那么在Linux下如何开启IPv6呢?下面以Ubuntu为例,给大家介绍下Ubuntu启用IPv6的方法. 方法: $sudo apt-g ...

  8. [codevs] 1699 开关灯

    题目描述 Description YYX家门前的街上有N(2<=N<=100000)盏路灯,在晚上六点之前,这些路灯全是关着的,六点之后,会有M(2<=m<=100000)个人 ...

  9. 【Tomcat】如何优化tomcat配置(从内存、并发、缓存4个方面)优化

    一.Tomcat内存优化 ** Tomcat内存优化主要是对 tomcat 启动参数优化,我们可以在 tomcat 的启动脚本 catalina.sh 中设置 java_OPTS 参数. JAVA_O ...

  10. DTrace C++ Mysteries Solved 转

      I’ve been using DTrace on Leopard in my recent work, and while it’s a great tool, the C++ support ...