IIS 7.0/7.5 Security: Application Pool Identities
Windows 2008 SP2 introduced to IIS 7.0 the use of Application Pool identities to help secure web resources and enhance web application performance. This became the standard with Windows 2008 R2 and IIS 7.5. In my article regarding IIS 7.0/7.5 Best Practices, several items include the use of Application Pool identities in configuring both IIS and NTFS resources. The steps and practices below should be used when configuring IIS according to best practices.
Default Application Pools stopped
As explained in the IIS 7.0/7.5 Best Practices article, there are up to four Application Pools that are created by the installation of IIS and the .NET Framework v4.0. These Application Pools can be exploited by malicious code since they are commonly known and well-documented default objects. Use the IIS Manager to stop or delete the default Application Pools.
Each site should use its own associated Application Pool
As part of the planning for your web site structure, you should have already figured out what you will name your web site in IIS. If you create an Application Pool with the same name as your web site, when you create the web site it will automatically associate itself with that Application Pool. Otherwise, when you create a web site it will associate itself with the DefaultAppPool.
Either way, it is preferable to create an Application Pool with the same name as the web site and associate it for use so that configuring resources and troubleshooting issues later will be easier.
Configure Anonymous Authentication to use the AppPoolIdentity
By default, when you create an Application Pool it will configure itself to use the IUSR account for anonymous authentication. The IUSR account is created during the IIS installation process. In order to isolate web site content and resources, it is important to configure the Application Pool to use the AppPoolIdentity.
NTFS Permissions and the AppPoolIdentity
The planning phase of your IIS web site should include creating a new folder on a disk separate from the system disk. This will help prevent your web site’s disk resources from interfering with operating system disk resources. The web site folder will, by default, inherit permissions from the parent folder – or the disk’s permissions if the folder is in the disk’s root.
The first step is to remove the web site root folder’s permission inheritance and set the folder to allow only the local Administrators group and the local SYSTEM account full control. You can then configure each site folder to give the web site’s AppPoolIdentity read-only permissions.
Properly configured Application Pools in IIS 7.0 and IIS 7.5 can greatly enhance your web server’s security. Making these best practices a standard in your web server environment can help you provide your company with a good security framework. But security doesn’t stop here. As a Windows Systems Administrator (SysAdmin), your responsibility is to ensure security throughout your server environment and the steps here are provided to give you a starting point.