One of the key features of IIS 10 is the ability to create and manage application pools, which are isolated environments that separate different applications running on the same web server. In this blog post, I will discuss the importance of IIS application pool identities, which play a crucial role in securing and managing Windows Server web applications and how to configure them for a website.
What is an Application Pool Identity?
Originally introduced in IIS7 with Windows Server 2008, an application pool identity is a virtual account that is created automatically when you create a new application pool in IIS. The purpose of this identity is to provide a secure and isolated environment for your web applications to run in, while preventing unauthorized access and protecting against attacks.
When you create an application pool, you can specify the identity that the pool will use to access resources on the web server. By default, application pools run under the built-in account called ApplicationPoolIdentity, which is a virtual account that is created specifically for each application pool. This account has limited permissions and can only access resources that are specific to the application pool.
Why Application Pool Identities Matter
Application pool identities are an essential component of IIS security and can help prevent unauthorized access to your web applications. By default, each application pool runs under its own isolated environment, which means that even if one application is compromised, it will not affect other applications running on the same web server.
In addition, application pool identities can help improve the performance and stability of your web applications. By using a separate identity for each application pool, you can ensure that each application has its own set of resources and does not compete with other applications for system resources.
How to Manage Application Pool Identities
Managing application pool identities in IIS is relatively simple. You can configure the identity that an application pool uses by following these steps:
1. Open the IIS Manager console.
2. Select the application pool that you want to configure.
3. Right-click on the application pool and select “Advanced Settings”.
4. Under the “Process Model” section, select the identity that you want to use for the application pool. By default, this will be the built-in ApplicationPoolIdentity account.
You can also create custom identities for your application pools if you need to grant additional permissions or access to specific resources on your web server.
To create a custom identity, you can follow these steps:
1. Open the IIS Manager console.
2. Select the application pool that you want to configure.
3. Right-click on the application pool and select “Advanced Settings”.
4. Under the “Process Model” section, select “Custom account” and enter the account information for the custom identity.
If your web server is part of an Active Directory domain and you are trying to add a domain user account, be sure to specify domain\username in the user name field. This is a good way to validate if you have the correct password because the form will not allow the account to be saved if the password is wrong.
Adding an Application Pool Identity to IIS_IUSRS
What is IIS_IUSRS? IIS_IUSRS is a built-in Windows Server user group that is created during the installation of IIS. It is used to provide access to files and folders that are required by web applications that are hosted in IIS. By default, IIS_IUSRS is granted read and execute access to the necessary files and folders, which allows web applications to run without issues.
The IIS_IUSRS group is granted access to the following directories by default:
- %SystemDrive%\inetpub
- %SystemDrive%\Windows\Microsoft.NET
- %SystemDrive%\Program Files\Common Files\Microsoft Shared\Web Server Extensions
To add an application pool identity to IIS_IUSRS just open the group from Computer Management Local Users and Groups and reference the account using iis apppool\sitename as shown in the example below. If your server is in an Active Directory domain you’ll need to first change the Locations option to the local server.
Adding app pool identity to site folder ACL
If your web server is providing “shared” hosting services to multiple applications be sure not to add the IIS_IURS group to the parent directory where all the sites are stored. Instead it would be better to add each application pool identity separately to each site’s application folder ACL (access control list).
In summary
IIS application pool identities are an essential component of web application security and performance. By isolating each application in its own environment and restricting access to specific resources, you can prevent unauthorized access and protect against attacks. With the ability to configure both built-in and custom identities, you have the flexibility to manage your web applications in a way that best suits your needs.
