Beruflich Dokumente
Kultur Dokumente
Introduction
IIS introduces a new security feature in Service Pack 2 (SP2) of Windows Server 2008 and Windows Vista. It's called Application Pool Identities. Application Pool Identities allow you to run Application Pools under a unique account without having to create and manage domain or local accounts. The name of the Application Pool account corresponds to the name of the Application Pool. The image below shows an IIS worker process (W3wp.exe) running as the DefaultAppPool identity.
If you are running IIS 7.5 on Windows Server 2008 R2, you don't have to do anything to use the new identity. For every Application Pool you create, the IIS Admin Process (WAS) will create a virtual account with the name of the new Application Pool and run the Application Pool's worker processes under this account. If you are running Windows Server 2008, you have to change the IdentityType property of the Application Pools you create to "AppPoolIdentity". Here is how:
Open the IIS Management Console (INETMGR.MSC). Open the Application Pools node underneath the machine node. Select the Application Pool you want to change to run under an automatically generated Application Pool Identity. Right click the Application Pool and select "Advanced Settings..."
Select the "Identity" list item and click the ellipsis (the button with the three dots). The following dialog appears.
To do the same step by using the command-line, you can call the appcmd command-line tool the following way: %windir%\system32\inetsrv\appcmd.exe set AppPool <your AppPool> -processModel.identityType:ApplicationPoolIdentity
Securing Resources
Whenever a new Application Pool is created, the IIS management process creates a security identifier (SID) that represents the name of the Application Pool itself. For example, if you create an Application Pool with the name "MyNewAppPool," a security identifier with the name "MyNewAppPool" is created in the Windows Security system. From this point on, resources can be secured by using this identity. However, the identity is not a real user account; it will not show up as a user in the Windows User Management Console. You can try this by selecting a file in Windows Explorer and adding the "DefaultAppPool" identity to the file's Access Control List (ACL). 1. 2. 3. 4. 5. 6. 7. Open Windows Explorer Select a file or directory. Right click the file and select "Properties" Select the "Security" tab Click the "Edit" and then "Add" button Click the "Locations" button and make sure you select your machine. Enter "IIS AppPool\DefaultAppPool" in the "Enter the object names to select:" text box. 8. Click the "Check Names" button and click "OK". By doing this, the file or directory you selected will now also allow the "DefaultAppPool" identity access.
You can do this via the command-line by using the ICACLS tool. The following example gives full access to the DefaultAppPool identity. ICACLS test.txt /grant "IIS AppPool\DefaultAppPool":F On Windows 7 and Windows Server 2008 R2, the default is to run Application Pools as the Application Pool Identity. To make this happen, a new identity type with the name "AppPoolIdentity" was introduced. If the "AppPoolIdentity" identity type is selected (the default on Windows 7 and Windows Server 2008 R2), IIS will run worker processes as the Application Pool identity. With every other identity type, the security identifier will only be injected into the access token of the process. If the identifier is injected, content can still be ACLed for the AppPool identity, but the owner of the token is probably not unique. Here is an article that explains this concept.