Application Pool Identities
Whether you are running your site on your own server or in the cloud, security must be at the top of your priority list. If so, you will be happy to hear that IIS has a security feature called the application pool identity. This feature was introduced in Service Pack 2 (SP2) of Windows Server 2008 and Windows Vista. An application pool identity allows you to run an application pool under a unique account without having to create and manage domain or local accounts. The name of the application pool account corresponds to the name of the application pool. The image below shows an IIS worker process (W3wp.exe) running as the DefaultAppPool identity.
Application Pool Identity Accounts
Worker processes in IIS 6.0 and in IIS 7 run as Network Service by default. Network Service is a built-in Windows identity. It doesn't require a password and has only user privileges; that is, it is relatively low-privileged. Running as a low-privileged account is a good security practice because then a software bug can't be used by a malicious user to take over the whole system.
However, a problem arose over time as more and more Windows system services started to run as Network Service. This is because services running as Network Service can tamper with other services that run under the same identity. Because IIS worker processes run third-party code by default (Classic ASP, ASP.NET, PHP code), it was time to isolate IIS worker processes from other Windows system services and run IIS worker processes under unique identities. The Windows operating system provides a feature called "virtual accounts" that allows IIS to create a unique identity for each of its application pools. Click herefor more information about Virtual Accounts.
Configuring IIS Application Pool Identities
If you are running IIS 7.5 on Windows Server 2008 R2, or a later version of IIS, you don't have to do anything to use the new identity. For every application pool you create, the Identity property of the new application pool is set toApplicationPoolIdentity by default. The IIS Admin Process (WAS) will create a virtual account with the name of the new application pool and run the application pool's worker processes under this account by default.
To use this virtual account when running IIS 7.0 on Windows Server 2008, you have to change the Identity property of an application pool that you create to ApplicationPoolIdentity. Here is how:
- Open the IIS Management Console (INETMGR.MSC).
- Open the Application Pools node underneath the machine node. Select the application pool you want to change to run under an automatically generated application pool identity.
- Right click the application pool and select Advanced Settings...
- Select the Identity list item and click the ellipsis (the button with the three dots).
- The following dialog appears:
- Select the Built-in account button, and then select the identity type ApplicationPoolIdentity from the combo box.
To do the same step by using the command-line, you can call the appcmd command-line tool the following way:
%windir%\system32\inetsrv\appcmd.exe set AppPool <your AppPool> -processModel.identityType:ApplicationPoolIdentity
Securing Resources
Whenever a new application pool is created, the IIS management process creates a security identifier (SID) that represents the name of the application pool itself. For example, if you create an application pool with the name "MyNewAppPool," a security identifier with the name "MyNewAppPool" is created in the Windows Security system. From this point on, resources can be secured by using this identity. However, the identity is not a real user account; it will not show up as a user in the Windows User Management Console.
You can try this by selecting a file in Windows Explorer and adding the "DefaultAppPool" identity to the file's Access Control List (ACL).
- Open Windows Explorer
- Select a file or directory.
- Right click the file and select Properties
- Select the Security tab
- Click the Edit button and then Add button
- Click the Locations button and make sure that you select your computer.
- Enter IIS AppPool\DefaultAppPool in the Enter the object names to select: text box.
- Click the Check Names button and click OK.
By doing this, the file or directory you selected will now also allow the DefaultAppPool identity access.
You can do this via the command-line by using the ICACLS tool. The following example gives full access to the DefaultAppPool identity.
ICACLS test.txt /grant "IIS AppPool\DefaultAppPool":F
For more information, see ICACLS.
On Windows 7 and Windows Server 2008 R2, and later versions of Windows, the default is to run application pools as the application pool identity. To make this happen, a new identity type with the name "AppPoolIdentity" was introduced. If the "AppPoolIdentity" identity type is selected (the default on Windows 7 and Windows Server 2008 R2, and later), IIS will run worker processes as the application pool identity. With every other identity type, the security identifier will only be injected into the access token of the process. If the identifier is injected, content can still be ACLed for the ApplicationPoolIdentity, but the owner of the token is probably not unique. Here is an article that explains this concept.
Accessing the Network
Using the Network Service account in a domain environment has a great benefit. Worker process running as Network Service access the network as the machine account. Machine accounts are generated when a machine is joined to a domain. They look like this:
<domainname>\<machinename>$,
For example:
mydomain\machine1$
The nice thing about this is that network resources like file shares or SQL Server databases can be ACLed to allow this machine account access.
WHAT ABOUT APPLICATION POOL IDENTITIES?
The good news is that application pool identities also use the machine account to access network resources. No changes are required.
Compatibility Issues with Application Pool Identities
GUIDANCE DOCUMENTATION
The biggest compatibilty issue with application pool identities is probably earlier guidance documents which explicitly recommend that you ACL resources for Network Service, that is, the default identity of the DefaultAppPool in IIS 6.0 and IIS 7.0. Customers will have to change their scripts to ACL for "IIS AppPool\DefaultAppPool" (or another application pool name) when running on IIS 7.5 or later (see the example above for how to do this).
USER PROFILE
IIS doesn't load the Windows user profile, but certain applications might take advantage of it anyway to store temporary data. SQL Express is an example of an application that does this. However, a user profile has to be created to store temporary data in either the profile directory or in the registry hive. The user profile for the Network Service account was created by the system and was always available. However, with the switch to unique Application Pool identities, no user profile is created by the system. Only the standard application pools (DefaultAppPool and Classic .NET AppPool) have user profiles on disk. No user profile is created if the Administrator creates a new application pool.
However, if you want, you can configure IIS application pools to load the user profile by setting the LoadUserProfile attribute to "true".
Application Pool Identities的更多相关文章
- 如何在Windows 2003+IIS6的环境下找回应用程序池(application pool)中的服务账号密码
上一篇文章说了说如何在Win2008+iis7中取出SharePoint管理账号密码的方法. 整个过程简单的讲,就是通过使用要找回密码的账号用来在SharePoint中创建一个临时的Web Appli ...
- IIS7 Application Pool Integrate Mode 和 Classic Mode 的区别
IIS7也用了好久了,关于Application Pool Integrate Mode 和 Classic Mode 究竟是什么也是懵懵懂懂,于是下决心去官网看了技术文档,终于恍然大悟,特来分享一下 ...
- How do I create an IIS application and application pool using InnoSetup script
Create an IIS application. Create a new IIS application pool and set it's .NET version to 4. Set the ...
- 排错技能:任务管理器中追踪某w3wp.exe是哪个IIS站点的application pool
如果Windows的任务管理器中发现某个w3wp.exe占用了100%CPU,那我们就要揪出这是那个网站的application pool在作怪, 首先,每个站点一定要单独使用各自的applicati ...
- 批量启动application pool
在powershell中执行 Get-ChildItem IIS:\AppPools | where {$_.state -eq "Stopped"} | Start-WebApp ...
- SharePoint Error occurred in deployment step 'Recycle IIS Application Pool': 0x80070005:拒绝访问
错误出现的前提:多个用户在一台机器上做开发,使用非系统管理员账号时会出现,因为一般创建网站集时指定管理员为系统管理员: 使用 Visual Studio 2010 部署时报错:Error occurr ...
- 应用程序池和应用程序域的区别(Difference between application pool and application domain)
来自StackOverFlow: http://stackoverflow.com/questions/8486335/difference-between-an-application-domai ...
- Recycling Settings for an Application Pool <recycling>
Overview The <recycling> element contains configuration settings that control the conditions t ...
- IIS application pool access desktop denied
https://stackoverflow.com/questions/5437723/iis-apppoolidentity-and-file-system-write-access-permiss ...
随机推荐
- TabControl控件
private void Form1_Load(object sender, EventArgs e) { #region 显示样式 tabControl1.ImageList = imageList ...
- PowerDesigner 非数值默认值时会自动增加单引单
在PowerDesigner中,如果默认值是非数值型的,那么 PowerDesigner 会默认加上单引号 因此我们需要把这个默认的单引号干掉,如果是需要设置字符串默认值的时候,就手工加上 单引号 即 ...
- 【学习总结】Info.plist和pch文件的作用
Info.plist 建立一个工程后,会在Supporting files文件夹下看到一个“Info.plist”的文件,该文件对工程做一些运行期的配置,非常重要,不能删除 项目中其他Plis ...
- ios 保存本地数据的方法
1. NSString *path = [[NSBundle mainBundle] pathForResource:@"文件名" ofType:@"plist" ...
- 简单3d RPG游戏 之 002 生命条(二)
在游戏中,游戏人物的血条可能会因为受伤或吃血瓶而长度变化,所以需要将血条的长度单独提出来作为一个变量,方便直接修改数值. public float healthBarLength; 改变生命值函数如下 ...
- 使用Docker解决同一服务器运行不同版本PHP方案。
前言: 最近公司有两个站点,分别是两种系统进行二次开发,基于LNMP架构的网站.一般想PHP这种非编译型语言想要对外出售源码都会进行加密,加密方法有很多种,大部分都是使用Zend Guard来进行加密 ...
- c#用反射原理递归遍历复杂实体对象
之前在网上看到的都是遍历那种比较简单的实体对象,但是如果有实体嵌套,甚至是包含有List<XXInfo>这种属性的时候就没有办法处理了.通过递归遍历的方式可以完成对复杂实体对象的所有属性的 ...
- window live writer的曲折安装过程
之前一直使用windows live writer2012写日志,由于之前重装了系统,所以需要重新安装writer,本以为是一个很简单的过程,你就是安装个软件吗.... 然而事实是... ...
- ExtJS4.2学习(20)动态数据表格之前几章总结篇1(转)
鸣谢:http://www.shuyangyang.com.cn/jishuliangongfang/qianduanjishu/2014-02-18/196.html --------------- ...
- C#学习笔记(二)
1.注释:注销,解释2.单行://多行:/**/文档注释:///按enter主食要保证 别人一看就明白3.快速对期待吗:ctrl+k+d,按住ctrl不放,按k,迅速抬起,再按d(按D得时候k已经抬起 ...