Why does IIS use the IUSR_Machine account to load aspnet_isapi.dll when it should use application pool account?

Question

I was recently tasked with fixing a Windows Server 2003 server running IIS 6.0 that was giving:

HTTP Error 401.3 - Unauthorized: Access is denied due to an ACL set on the requested resource.

It started giving these responses after windows update patch kb2633880 was applied which seems to have changed some default permissions with the IUSR_Machine account and the .Net framework directory.

The problem is all requests for asp.net resources (e.g. .aspx) did not work while everything else did (e.g. text, html). The application is set to serve anonymous requests using the IUSR_machine account and Network Service for the application pool account.

I verified the Network Service account can access theC:\WINDOWS\Microsoft.NET\Framework\v2.0.50727 directory just fine but the IUSR_machine account cannot. After granting the IUSR_machine account access to theC:\WINDOWS\Microsoft.NET\Framework\v2.0.50727 directory the problem is resolved. This seems very strange to me.

My question is why isn't IIS using the account of my application pool (Network Service) to load the aspnet_isapi.dll? From the troubleshoot above it seems quite clear that it is in fact using the IUSR_machine for this, which seems like a security hole. The identity tag in web.config is not set either so that is default.

I would appreciate any advice on this one, thanks.

Answer 1

Thanks for reaching out to us. Unfortunately, your question is not suited for the Security Development Lifecycle (SDL) Forum.

We address questions related to the Microsoft Security Development Lifecycle, the software security assurance development process developed by Microsoft.

We would recommend that you post your question on the following forum: http://forums.iis.net/t/1159256.aspx

Regards,

The SDL Team