How to modify the user group of IIS APPPOOL\xxx

Question

I created a IIS website, the application pool name is testAppPool.

Then I run the following code in the website, obtain current user group permissions:

WindowsIdentity winIdentity = WindowsIdentity.GetCurrent();

str += "<br/>Current user name:\t" + winIdentity.Name;   

str += "<br/>Current user authentication type:\t" + winIdentity.AuthenticationType;    

str += "<br/>Current user SID:\t" + winIdentity.User;      

str += "<br/>Current user token:\t" + winIdentity.Token; 

str += "<br/>Token owner SID:\t" + winIdentity.Owner;      

str += $"<br/>Current user has {winIdentity.Groups.Count} group memberships.";      

foreach (IdentityReference group in winIdentity.Groups)   

{        

      NTAccount ntAcc = (NTAccount)group.Translate(typeof(NTAccount));     

      str += $"<br/>&nbsp;&nbsp;&nbsp;&nbsp;Group :&nbsp;&nbsp;{ntAcc.Value}&nbsp;&nbsp;&nbsp; ";  

}  

I got this result like this:

Current user name: IIS APPPOOL\test
Current user authentication type: Negotiate
Current user SID: S-1-5-82-2084461697-3881244625-4442817516-662440669-514472240
Current user token: 2080
Token owner SID: S-1-5-82-2084461697-3881244625-4442817516-662440669-514472240
Current user has 9 group memberships.
    Group :  Everyone    
    Group :  BUILTIN\Users    
    Group :  NT AUTHORITY\SERVICE    
    Group :  CONSOLE LOGON    
    Group :  NT AUTHORITY\Authenticated Users   
    Group :  NT AUTHORITY\This Organization   
    Group :  BUILTIN\IIS_IUSRS    
    Group :  LOCAL    
    Group :  【SID: S-1-5-82-0】

It contains the user group BUILTIN\Users, and I found that IIS APPPOOL\test can access all disks, read and modify.

But I found that IIS APPPOOL\test isn't in the Users Group of Computer Management.

How can I remove the IIS APPPOOL\test account from BUILTIN\Users group.

thanks very much.

Answer 1

The user group membership and permissions you observed are required by IIS itself to work properly, as documented in https://learn.microsoft.com/en-us/troubleshoot/developer/webapps/iis/www-authentication-authorization/default-permissions-user-rights

So, if your goal is to limit what resources can be accessed by IIS APPPOOL\test the right way is to harden the system with typical approaches (such as adding NTFS deny rules for such pool identities so that they lose access to part of Windows).

Windows Server hardening is a very specific task that requires years of experience and proper guidance. Contact your server administrators or security officers if possible.

Answer 2

See https://learn.microsoft.com/en-us/iis/manage/configuring-security/application-pool-identities

Securing Resources

Whenever a new application pool is created, the IIS management process creates a security identifier (SID) that represents the name of the application pool itself. For example, if you create an application pool with the name "MyNewAppPool," a security identifier with the name "MyNewAppPool" is created in the Windows Security system. From this point on, resources can be secured by using this identity. However, the identity is not a real user account; it will not show up as a user in the Windows User Management Console.

Answer 3

The BUILTIN\Users groups is any authenticated user. This group should not have many permissions assigned to it. If you app pool account has too much access it’s probably not this group but rather the 【SID: S-1-5-82-0】account.