Re: a few questions about application pool identities (IIS 6.0)
From: Ken Schaefer (kenREMOVE_at_THISadOpenStatic.com)
Date: 06/15/04
- Next message: Ales Baranek: "Re: How to disable access to web site on my IIS (windows 2000 server) from a specific internet IP address?"
- Previous message: Sparky Polastri: "Re: Problem with viewing the homepage"
- In reply to: Andy Cheung: "a few questions about application pool identities (IIS 6.0)"
- Messages sorted by: [ date ] [ thread ]
Date: Wed, 16 Jun 2004 00:00:55 +1000
Hi,
The various accounts listed have differing rights on the machine. Generally:
a) LocalSystem has access to everything
b) Network Service has limited rights, and can authenticate to remote
machines for access to resources
c) Local Service has the similar rights to network service, but can not
authenticate to remote machines (hence "local service")
d) IWAM_Machinename is really only there for backwards compatibility with
IIS 5.0 applications that are written assuming that the process identity is
IWAM, or that assume that the application has the same permissions as the
IWAM account.
Depending on what your applications need, you should choose one of the above
accounts. Each web application pool is contained within it's own w3wp.exe
process, so in that sense they are separate. If you need to setup NTFS ACLs
that distinguish between app pools, then you should consider creating new,
custom, accounts that have the same permissions using one of the predefined
accounts as a template.
If you goto my site: www.adopenstatic.com, on the homepage there's a link to
download the sample chapter from my IIS 6.0 security book. There's a section
in there that lists all the rights that each of these accounts has (so you
can duplicate them).
Cheers
Ken
"Andy Cheung" <andycheung2000@hotmail.com> wrote in message
news:f007cbe5.0406150545.33463a3a@posting.google.com...
: I have a few questions about application pool identities:
:
: 1) Would there be any problem with using Local Service as an
: application pool identity? I see it is in the IIS_WPG group so I
: presume it will be ok. I don;t want to use Network Service since
: that's used in another application pool and I want to keep my two
: pools as separate as possible.
:
: 2) I notice also that Local System is one of the "predefined" IDs in
: the IIS Manager (in the identity tab of application pool properties).
: What does it means to be "predefined"? Does it mean that it's a good
: choice to use? I would have thought that Local System would be a bad
: choice as an application pool identity becuase it's so powerful.
:
: 3) Is there anything wrong with using IWAM as the application pool
: identity? Again, that's in the IIS_WPG group so I presume it's ok.
:
: Any help would be greatly appreciated
- Next message: Ales Baranek: "Re: How to disable access to web site on my IIS (windows 2000 server) from a specific internet IP address?"
- Previous message: Sparky Polastri: "Re: Problem with viewing the homepage"
- In reply to: Andy Cheung: "a few questions about application pool identities (IIS 6.0)"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
