In Windows 7, IIS application pool isolation was taken yet to a different level. The new change introduced in IIS7 (Windows Server 2008) was a new option to run your application pool as AppPoolIdentiy. However, the default for an application pool identity in IIS7 remained the same – NetworkService. In IIS7.5, AppPoolIdentiy becomes a default. Thus, scripts previously expecting permissions for their application pool identity to be set to “NT Service\NetworkService” will now have to set permissions (ACLs) for “IIS AppPool\
Thus, to set permissions for the DefaultAppPool, the scripts will need to set ACLs for “IIS AppPool\DefaultAppPool”.
The incentive behind this change was to enforce the improved concept of process isolation through separate user accounts generated for each application pool identity.
To see other options that you can choose for your application pool identity, go to IIS Manager, Application Pools and right-click on the pool you want to configure, select Advanced Settings and Identity in the dialog that opens. You can choose one of the built-in accounts for your application pool identity:
Here is a list of built-in accounts and their corresponding usernames to use when setting permissions:
LocalService: Service
LocalSystem: System
NetworkService: Network Service
ApplicationPoolIdentity: IIS AppPool\
You can also specify an existing custom account (local or domain):
No comments:
Post a Comment