Iis Application Pool Identity Security
As we can see iis apppool900300 is a member of the users group.
Iis application pool identity security. For example if you create an application pool with the name smartcrypt a security identifier with the name smartcrypt is created in windows. It is a dynamically created unprivileged account. Applicationhostconfig may contain sensitive personal information such as the user name and password for custom application pool identities or the user name and password for virtual directories. For example i have a pool here named 900300 which has an application pool identity of iis apppool900300.
Resources can be secured by using this identity. Whether you are running your site on your own server or in the cloud security must be at the top of your priority listif so you will be happy to hear that iis has a security feature called the application pool identity. The name is in the format of iis apppoolapp pool name. Right clicking on properties for the process and selecting the security tab we see.
Now i go to www root folder do right click properties. Iis apppoolapp pool name note. 6 minutes to read. If the application pool is named defaultapppool just replace this text below if it is named differently open windows explorer.
Per comments below there are two things to be aware of. On iis 80 the iis admin worker process was will create a virtual account with the name of the new application pool and run the application pools worker processes under this account by default. Enter the string directly into the select user or group and not in the search field. When using application pool identity local resources are accessed using the identity of the application pool eg iis apppooldefaultapppool and network resources are accessed using the identity of the machine account eg cmcwebserver1.
Whenever a new application pool is created iis creates a security identifier sid that represents the name of the application pool itself. If the apppoolidentity identity type is selected this is the default on windows 7 and windows server 2008 r2 iis will run worker processes as the application pool identity. This is done to prevent iis worker processes from application pool a from being able to read configuration information in the applicationhostconfig file that is intended for application pool b. With every other identity type the security identifier is only injected into the access token of the process.
I am using windows server 2008 version 606002 i am using applicationpoolidentity for my defaultapppool in iis7.