Friday, 28 February 2014

ApplicationPoolIdentity understood

Background

Back in the day, IIS sites used to use NETWORK SERVICE by default to run web sites. This was OK in that it was a fairly limited user and could run without having to login to the server but as with most security issues, it meant that 2 sites running under the same user could potentially interfere with each other since they had the same permissions.

Windows Server 2008 SP2 introduced a new pattern that offered segregated security but which did not involve the hassle (and risk) of creating new users for each site that you wanted to run - it kind of does it all automatically. It is a setting called ApplicationPoolIdentity and it is pretty simple to understand.

Since your application pools all have different names, a pseudo-user is created for each one that has the same name as the application pool. Permissions can then be assigned to this user for the file system etc. but importantly, only applications running under that application pool can access those folders, which allows a good level of security to be maintained.

 Using them in Explorer

The tricky bit is finding them in Windows Explorer! This is because the name is not just the application pool name, it is prefixed with IIS AppPool\ so you might have something like IIS AppPool\MyAppPoolName you need both parts to find them in the security tab of a folder (which I still don't understand why it never actually searches for anything unless you get it exactly right!).









If you then press Check Names, it will change to the following and can then be added to the security list for the folder.

Post a Comment