Which account does asp.net need permissions setting on in .net 4 on Win7?

Question

I've been stuck working on XP Pro for what seems like forever and only recently switched to Win 7. Running IIS 7.5 I find it really confusing as to which account needs access these days to allow a ASP.NET website to run/read/write etc.

I end up getting frustrated and just giving "everyone" access but I'm not really happy with that. What account should I be giving permissions too so I get this right once and for all.

Cheers

Answer 1

By default, a virtual user is created on the fly that's named after the application pool; it's marked as ApplicationPoolIdentity in the IIS manager. This user belongs to the group IIS_IUSRS.

IIS 7.5 has an application pool that is run using the credentials of a particular user. Unless you tell your site otherwise (through impersonation, see http://msdn.microsoft.com/en-us/library/xh507fc5(v=VS.100).aspx) it's this identity that will be used.

Note that this is a virtual user - see http://learn.iis.net/page.aspx/624/application-pool-identities/. For maximum security a new virtual user for each application pool is created on-the-fly each time the pool is started -- so, in particular, you won't see it listed in the "Select Users or Groups" dialog when setting permissions for folders.

To get around this, you can either:

• Set the permission for the file to allow read access to the group IIS_USRS
• or, more securely, change the user identity for each application pool and use that.

To change the user identity, use the IIS Manager. Right click My Computer, choose Manage, expand Services, then choose IIS Manager; you'll see a list of the application pools as currently configured.

Here's mine:

As you can see I'm just using the default identity for all my applications. Right click on a pool and choose Advanced Settings, you'll see this:

which lets you change the identity as appropriate.

There are also ways of viewing and changing the identity using WMI: see http://technet.microsoft.com/en-us/library/cc771170(WS.10).aspx.

Answer 2

The virtual user account isn't ApplicationPoolIdentity. The username will match the name of the app pool it's associated with.

There is no UI to edit these users but to limit access to the web apps running in DefaultAppPool, type "IIS AppPool\DefaultAppPool" in Explorer find user box with the local machine set as the source.

The local group IIS_USERS is created to automatically contain these virtual users, so if you don't want anything fruity like limiting access by app pools, assign the rights to this group that you would have assign to NETWORKSERVICE under XP/2003.