Ive updated my process Model Identity from NetworkService to ApplicationPoolIdentity.
However,
What permissions did NetworkService had before and to what ?
What was his security permissions to the asp.net ?
and how do I clone the previuos permissions to the ApplicationPoolIdentity account ?
You should look here for an explanation of Application Pool identities:
http://learn.iis.net/page.aspx/624/application-pool-identities/
NETWORKSERVICE is a built-in Windows identity. It doesn't require a
password and has only user privileges; that is, it is relatively
low-privileged. Running as a low-privileged account is a good security
practice because then a software bug can't be used by a malicious user
to take over the whole system.
Related
What Windows user account does an ASP.NET MVC 4 app run under?
When I deploy my MVC app to IIS 7, it isn't writing exceptions to the log file. I stepped into the source while the application was deployed and found that it didn't have rights/the required privileges to write to the log file.
So, I want to grant more privileges to the account that the app is running under.
Go to:
IIS > Application Pools > (right-click) the Application Pool > Advance Settings... > (Under Process Model) Identity.
You can change it if you want. It should be ApplicationPoolIdentity.
That's just depend on what's the path you're going to write. For example, if you're deploying your asp.net website use default "Network Service" account, you should grant the right permission to it.
To get the account you're currently using, you can check the identity of the app pool for your website.
Using IIS 8.5?
The ApplicationPoolIdentity is a member of the IIS_IUSRS group. If you need to give the app direct access to the file system set the ACLs for IIS_IUSRS.
However, exposing the file system to the web required very careful consideration.
I have a new Win7 workstation and I am trying to get ScrewTurn Wiki to run on the machine. My STW installation is using the file system option to store its data, and as such I need to give write permissions to the ASP.NET worker process in the folder the website is installed in.
HOWEVER, I cannot seem to be able to come up with name of the worker process in Win7 in order to add it to the permissions for the folder. In XP it was ASPNET_WP, if I remember correctly, but that is not its name in Win7.
Can someone please tell me?
Edited to add:
In response to #Dragan_Radivojevic, here's what the application pool in question looks like (named ScrewTurnWiki):
The Identity is "ApplicationPoolIdentity"
Giving write permissions to all IIS_USRS group is a bad idea from the security point of view. You dont need to do that and you can go with giving permissions only to system user running the application pool.
If you are using II7 (and I guess you do) do the following.
Open IIS7
Select Website for which you need to modify permissions
Go to Basic Settings and see which application pool you're using.
Go to Application pools and find application pool from #3
Find system account used for running this application pool (Identity column)
Navigate to your storage folder in IIS, select it and click on Edit Permissions (under Actions sub menu on the right)
Open security tab and add needed permissions only for user you identified in #3
Note #1: if you see ApplicationPoolIdentity in #3 you need to reference this system user like this IIS AppPool{application_pool_name} . For example IIS AppPool\DefaultAppPool
Note #2: when adding this user make sure to set correct locations in the Select Users or Groups dialog. This needs to be set to local machine because this is local account.
I know this is an old thread but to further expand the answer here, by default IIS 7.5 creates application pool identity accounts to run the worker process under. You can't search for these accounts like normal user accounts when adding file permissions. To add them into NTFS permission ACL you can type the entire name of the application pool identity and it will work.
It is just a slight difference in the way the application pool identity accounts are handle as they are seen to be virtual accounts.
Also the username of the application pool identity is "IIS AppPool\application pool name" so if it was the application pool DefaultAppPool the user account would be "IIS AppPool\DefaultAppPool".
These can be seen if you open computer management and look at the members of the local group IIS_IUSRS. The SID appended to the end of them is not need when adding the account into an NTFS permission ACL.
Hope that helps
My immediate solution (since I couldn't find the ASP.NET worker process) was to give write (that is, Modify) permission to IIS_IUSRS. This worked. I seem to recall that in WinXP I had to specifically given the ASP.NET worker process write permission to accomplish this. Maybe my memory is faulty, but anyway...
#DraganRadivojevic wrote that he thought this was dangerous from a security viewpoint. I do not disagree, but since this was my workstation and not a network server, it seemed relatively safe. In any case, his answer is better and is what I finally settled on after chasing down a fail-path due to not specifying the correct domain for the AppPool user.
The full command would be something like below, notice the quotes
icacls "c:\inetpub\wwwroot\tmp" /grant "IIS AppPool\DefaultAppPool:F"
I am asking about the account of the user which run the ASP.NET/IIS (or Cassini or IIS Express) application. I am asking about the defaults. There is very much confusion out there. Googling shows me lot of types of users, for example,
my-computer-name\myname user,
IIS APPPOOL\ASP.NET v4 user,
IIS_WPG,
IIS_IUSRS user,
Network service user,
AspNet user,
IUSR_MachineName user,
IIS_IUSRS user,
IUSR user,
IIS_WPG user,
IWAM_computername user,
IIS APPPOOL\DefaultAppPool user.
These are quite confusing.
Cassini runs under account that started VS. So default would be currently logged windows user, runas will run under specific user account.
Application on IIS runs using application pool. Here is snipp from default site:
Every Application pool can be configured using Advanced settings:
I should also point out possible impersonation, where context runs under impersonated user. This user can be provided by IIS or using code. Here is sample how to configure IIS impersonation (Authentication tab for specific app):
Hope this helps!
Well, for one this is different based on the version of Windows that you are running. And second, you are asking about 3 different servers. So that is probably what is making it confusing.
Development servers
First, the easiest one: Cassini. This server runs under the same account and with the same privileges as the Visual Studio instance that it's started from. Usually, this is just your own Windows account.
IIS Express uses the exact same code-base as IIS, but it will run under your own Windows account as well, the same account that started Visual Studio (or Web Matrix for that matter).
IIS 6.0
Now for IIS proper. Here you may find many accounts. First of all, the 'old' IIS 6.0 that you will still find on Windows Server 2003 machines would use the following accounts:
Network Service (default and recommended worker processes identity for application pools in IIS 6.0 and above)
Local Service (pretty limited access)
Local System (used for the worker process when running in 'IIS 5.0 isolation mode', member of Administrators and has full access)
IIS_WPG (short for Worker Process Group, not an account, but a group, worker process identities should be member of this group, to get minimal required permissions)
IUSR_ComputerName (not used for a worker process, but rather to map anonymous visitors to a Windows account)
IWAM_{ComputerName} (for IIS 5.0 isolation mode, you'd typically use application pools for isolation nowadays)
ASPNET (also for IIS 5.0 isolation mode, it looks like the ASP.NET account, but in most cases it isn't)
(This list is based on the TechNet article IIS and Built-in Accounts (IIS 6.0).)
IIS 7 and above
For IIS 7, some of these listed above are no longer relevant, and some are replaced. Since these accounts are built-in to Windows, they have the same SSID everywhere, which may come in handy now and then.
If you upgraded a server from Windows 2003 to Windows 2008, of if you install IIS 6.0 compatibility features or older IIS components, you may have the old and the new accounts on one machine.
IUSR (*replaces IUSR_{ComputerName}, so used to map anonymous users by default*)
IIS_IUSRS (*replaces the IIS_WPG group, and so is not an account but rather a group*)
(This is based on the article Understanding Built-In User and Group Accounts in IIS 7.)
AppPool identities (since IIS 7.0)
This list is now almost complete, but we still need to understand a special type of account: the 'dynamic' AppPool identities. These are not actual accounts on the machine like the others, e.g. you can't find them listed as users in Windows. But they are virtual accounts created on the fly for the application pools, if you choose the ApplicationPoolIdentity option.
If you need to give such an account access privileges to a file or folder, you can still search for the account by typing: IIS AppPool{DefaultAppPool} (replace {DefaultAppPool} with the name of the application pool that you created).
(You can read more about this in Application Pool Identities on iis.net.)
When you install .NET 4.0, then IIS adds a new application pool to be able to run new .NET 4.0 web applications alongside the existing .NET 2.0 web applications. The installer gives this application pool the name ASP.NET v4.0, and uses the option ApplicationPoolIdentity. Hence a dynamic account is created for this new application pool, whether you use it or not.
at work I am struggling a bit with the following situation:
We have a web application that runs on a WIndows Server 2008 64 bits machine. The app's ApplicationPool is running under the ApplicationPoolIdentity and configured for .net 2 and Classic pipeline mode.
This works fine up to the moment that XmlSerialization requires creation of Serializer assemblies where MEF is being used to create a collection of knowntypes.
To remedy this I was hoping that granting the ApplicationPoolIdentity rights to the ASP.Net Temporary Files directory would be enough, but alas...
What I did was the run the following command from a cmd prompt:
icacls "c:\windows\microsoft.net\framework64\v2.0.50727\Temporary ASP.NET Files" /grant "IIS AppPool\MyAppPool":(M)
Obviously this did not work, otherwise you would not be reading this :)
Strange thing is that whenever I grant the Users or even more specific, the Authenticated Users Group those permissions, it works. What's weird as well (in my eyes) is that before I started granting access the ApplicationPoolIdentity was already a member of IIS_IUSRS which does have Modify rights for the temporary asp files directory.
And now I'm left wondering why this situation requires Modify rights for the Authenticated Users group. I thought it could be because the apppool account was missing additional rights (googling for this returned some results, so I tried those), but granting the ApplicationPoolIdentity modification rights to the Windows\Temp directory and/or the application directory itself did not fix it.
For now we have a workaround, but I hate that I don't know what is exactly going on here, so I was hoping any of you guys could shed some light on this.
Thanx in advance!
If the application pool is running as AppPool Identity then things should work out-of-the box since the worker process will be injected the IIS_IUSRS SID which will have the right permissions to write.
My guess, is that the application must be using Windows authentication and impersonation is enabled in ASP.NET so that code is probably be ran as the specific user that is making the request and not necesarilly the process identity.
Am I right on the guess that the app is running Windows Authentication? and impersonation is enabled in asp.net ?
Might not be relevant to you - but if you are running the app pool as a domain user, the rules change on the automatic injection of IIS_IUSRS token into the process at startup. This caught us out recently when moving to .net 4, and not having permission on the new Temporary ASP.net Files directory.
See here for a workaround: http://www.yusufozturk.info/iis7/asp-net-write-access-error-on-iis7-5.html
Can someone guide me to a reference for the minumum security permissions on each webfolder in an IIS7 website?
For Users, Admin, System, Network Service?
I have Network Service as a DB Owner on SQL as well, is this necessary or should I restrict access from it?
EDIT: MVC FOLDERS SPECIFICALLY
I'd recommend creating an app pool in IIS and setting its ID to the proper account. Then, you only have to grant that account access on your application's folders as well as the database (trusted connection). You gain a lot more control this way.
I would definitely not set Network Service as db_owner.
Not a direct answer, but I sidestep this issue by having my application installer run "aspnet_regiis -ga SomeDomain\SomeUser" to grant the service account all necessary permissions to run an ASP.NET application.