Home > IIS > IIS 7.0/7.5 Security: Application Pool Identities

IIS 7.0/7.5 Security: Application Pool Identities

Windows 2008 SP2 introduced to IIS 7.0 the use of Application Pool identities to help secure web resources and enhance web application performance.  This became the standard with Windows 2008 R2 and IIS 7.5. In my article regarding IIS 7.0/7.5 Best Practices, several items include the use of Application Pool identities in configuring both IIS and NTFS resources.  The steps and practices below should be used when configuring IIS according to best practices.

 

Default Application Pools stopped

As explained in the IIS 7.0/7.5 Best Practices article, there are up to four Application Pools that are created by the installation of IIS and the .NET Framework v4.0. These Application Pools can be exploited by malicious code since they are commonly known and well-documented default objects. Use the IIS Manager to stop or delete the default Application Pools.

 

Default Application Pools Stopped

 

Each site should use its own associated Application Pool

As part of the planning for your web site structure, you should have already figured out what you will name your web site in IIS. If you create an Application Pool with the same name as your web site, when you create the web site it will automatically associate itself with that Application Pool. Otherwise, when you create a web site it will associate itself with the DefaultAppPool.

Either way, it is preferable to create an Application Pool with the same name as the web site and associate it for use so that configuring resources and troubleshooting issues later will be easier.

 

Each Site Has Its Own Application Pool

 

Configure Anonymous Authentication to use the AppPoolIdentity

By default, when you create an Application Pool it will configure itself to use the IUSR account for anonymous authentication. The IUSR account is created during the IIS installation process. In order to isolate web site content and resources, it is important to configure the Application Pool to use the AppPoolIdentity.

 

Anonymous Authentication using the Application Pool Identity

 

NTFS Permissions and the AppPoolIdentity

The planning phase of your IIS web site should include creating a new folder on a disk separate from the system disk. This will help prevent your web site’s disk resources from interfering with operating system disk resources. The web site folder will, by default, inherit permissions from the parent folder – or the disk’s permissions if the folder is in the disk’s root.

The first step is to remove the web site root folder’s permission inheritance and set the folder to allow only the local Administrators group and the local SYSTEM account full control. You can then configure each site folder to give the web site’s AppPoolIdentity read-only permissions.

 

 

 

 

 

 

 

 

Properly configured Application Pools in IIS 7.0 and IIS 7.5 can greatly enhance your web server’s security. Making these best practices a standard in your web server environment can help you provide your company with a good security framework. But security doesn’t stop here. As a Windows Systems Administrator (SysAdmin), your responsibility is to ensure security throughout your server environment and the steps here are provided to give you a starting point.

 

REFERENCES

CIS Microsoft IIS 7.0 Benchmark v1.1.0
Ensure Security Isolation for Web Sites
Application Pool Identities

Advertisements
  1. November 16, 2012 at 10:06 am

    Hi Oliver, Excellent article. If all these content folders are locked down to “Administrators”, “application pool”, how can other user upload content. Any suggestions/best practices on how to upload content to these web sites? Thank you, Venkat.

    • February 10, 2013 at 5:45 pm

      Hi Venkat,

      What it sounds like you want to do is give a user permission to modify web content. In that scenario, you would want to make sure Windows Authentication is installed and enabled in IIS. Best practices recommendation is to create a local user account and give that user account Modify permissions on the web content folders. Kerberos authentication is always recommended where possible.

      • Venkat
        February 11, 2013 at 6:39 pm

        Thanks Oliver, I will try it out.

  2. December 15, 2012 at 8:44 pm

    My partner and I stumbled over here by a different web page and thought I might check things out.
    I like what I see so now i’m following you. Look forward to looking over your web page again.

  3. September 28, 2013 at 3:04 pm

    My brother suggested I might like this website.
    He was once totally right. This post actually
    made my day. You can not believe simply how so much time I had spent
    for this information! Thanks!

  4. February 6, 2014 at 2:22 am

    Hi Oliver, great article. I followed your article, my 2008r2 works ok now. But I have another question, a shell in one of my site can not read other site’s content, but it can read system setting, such as groups and user, or download files from c:\windows.
    What should I do now, any suggestions?
    Thanks

    • April 8, 2014 at 8:38 pm

      Your issue tends to happen particularly with .NET applications. Verify the permissions of the .NET application and check the NTFS permissions of the folder structures you can access. Lock down any folders that the application is not required to access.

  5. September 7, 2014 at 11:22 pm

    Thank you for the instructions !

  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: