Permissions of the Application Pool Identity

Question

User-246551752 posted

It seems that there are two different identities used in running a website - the site identity, and the application pool identity.  I understand that the site identity is used so that you can give file permissions to that identity so it can access files.

But I don't understand what permissions you would need to give the application pool identity.

Say for example, I set the Application Pool Identity to an account, say AP_1, which is an account I created in Active Directory.  It will then run the W3WP process under that account.  Do I need to give it any futher permissions or that's it?

I guess I don't quite understand the purpose of the application pool identity.

Greg

Answer 1

User1080221284 posted

The application pool identity is used for any server side code (ASP.NET, classic ASP, PHP, etc). You can configure the anonymous user to use the application pool identity as well so you only need to manage a single user. The application pool identity needs read access to the site files at a minimum, but will require write access if your application writes to disk.'

http://technet.microsoft.com/en-us/library/cc771170(WS.10).aspx

Answer 2

User-246551752 posted

OK, thanks.  I like the idea of just using a single user like you mention above.  Do you find it to be a good practice?

Greg

Answer 3

User1080221284 posted

It depends on the type of content you are serving up and the specific requirements of the application, but generally speaking, yes, this is an accepted practice for most web applications provided the application doesn't need read/write to other parts of the OS or directory structure, and the security is locked down to the specific application pool:

http://learn.iis.net/page.aspx/624/application-pool-identities/

You can assign permissions to the actual application pool itself.

Answer 4

User-246551752 posted

I am trying to assign NTFS permissions to the application pool.  I careful follow the steps in the above link to do so.  But it doesn't find it in the GUI.  I carefully select the machine, not the domain as the location, and enter "IIS AppPool\DefaultAppPool" but it is not found.  The only difference I see in my GUI from the example is that I only get the "Built-in security principals" as the object type, whereas the example shows "Users, Groups and Built-in"

I tried with the ICACLS and it found it and added it with no problem.

Am I doing something wrong in the GUI?  Have tried a 100 times to no avail.  It will not find any virtual app pool name that I try.

Greg

Answer 5

User-1672167363 posted

Hello,

Problem where are the users and the folders and directories so perrmissions

       can be set / configured for Application Pool and Users:

Methods & Operations for Application Pool users / folders / locations on Windows System.

For this discussion only local folders and users are being handled. 

By default you will not see other user / account folders this is true for Application Pool folders / directories.

To be able to manage Application Pools you need to at least see what your working with.

Go to your windows folder view settings and un-check the setting for Hiding folders ( this allows you to see Application Pool users ).

You find some of the other folder settings modifications will may make sense.

After making folder setting changes log off and back on.

After you have logged back on you can using Windows Explorer browse to C:\Users\DefaultAppPool and with

Windows Explorer and the Properties with Security Tab add,modify,edit permissions for Users,Accounts,Groups for

access to DefaultAppPool.

The same operations from above apply to any of the other named Application Pools.

The other Application Pools include can include Classic,Custom ( a user you create) and DefaultAppPool.

I hope this helps.

Martin

 

 

Answer 6

User733050277 posted

 I have the following setup:

Windows 2008 R2

IIS 7

PHP 5.2 installed using the Web Platform Installer

I need users to be able to write to a directory (in this case it's images). 

All accounts have read only access to this folder except the application pool identity which has full control. 

Users are unable to write files to the directory.

Using procmon during an upload I can see that the application pool identity is denied write access to the folder.

 Any idea why this might be the case, the effective permsions suggest that it should have full control.

Cheers

Andy

Answer 7

User-1672167363 posted

Hello,

To understand your problem with Users,Accounts,Permissions please

read http://learn.iis.net/page.aspx/140/understanding-built-in-user-and-group-accounts-in-iis-7/ .

The guide explains how the Built-In Users,Accounts are used to execute code and handle files

in IIS Server and Web Sites.

The IUSR,IIS_USERS need to have minimal access permissions of read,execute,list for IIS Server,Web Sites.

The IUSR,IIS_USERS need to have special permissions of write for Temp Folders and files.

The IUSR,IIS_USERS need to have the special permissions for the %windir%\Temp folder and files.

The %windir% is the Windows directory path name aka C:\Windows if that is the drive on the system.

If you are using the "Network Service" then use the same permissions as IUSR,IIS_USERS. The IUSR,IIS_USERS need to

have access to files and folders for the Application Pool.

The suggestions for how to provide permissions and settings were in previous post.

Note: For "Best Practice" do not give "Full" permissions to any User,Account,Group other than "Administrator","System".

Martin

Answer 8

User-246551752 posted

Andy,

There is a setting in PHP.ini that can restrict where PHP can write to. (I don't have the setting name to hand, sorry).  That's one thing to check.

Also, check the NTFS permissions for the identity which the website runs under, which can be different from the identity that the application pool runs under.

I run the web site and the apppool under the same identity to keep things simplier.

Greg

Answer 9

User1080221284 posted

Am I doing something wrong in the GUI?

In Windows Server 2008, you have to do it from the command line:

ICACLS C:\inetpub\wwwroot /grant "IIS AppPool\DefaultAppPool":(M)

You can do it from the GUI in Windows Server 2008 R2.