How to modify the user group of IIS APPPOOL\xxx

xiongfj xiongfj 0 Reputation points
2024-05-31T08:08:17.33+00:00

I created a IIS website, the application pool name is testAppPool.

Then I run the following code in the website, obtain current user group permissions:

WindowsIdentity winIdentity = WindowsIdentity.GetCurrent();

str += "<br/>Current user name:\t" + winIdentity.Name;   

str += "<br/>Current user authentication type:\t" + winIdentity.AuthenticationType;    

str += "<br/>Current user SID:\t" + winIdentity.User;      

str += "<br/>Current user token:\t" + winIdentity.Token; 

str += "<br/>Token owner SID:\t" + winIdentity.Owner;      

str += $"<br/>Current user has {winIdentity.Groups.Count} group memberships.";      

foreach (IdentityReference group in winIdentity.Groups)   

{        

      NTAccount ntAcc = (NTAccount)group.Translate(typeof(NTAccount));     

      str += $"<br/>&nbsp;&nbsp;&nbsp;&nbsp;Group :&nbsp;&nbsp;{ntAcc.Value}&nbsp;&nbsp;&nbsp; ";  

}  


I got this result like this:

Current user name: IIS APPPOOL\test
Current user authentication type: Negotiate
Current user SID: S-1-5-82-2084461697-3881244625-4442817516-662440669-514472240
Current user token: 2080
Token owner SID: S-1-5-82-2084461697-3881244625-4442817516-662440669-514472240
Current user has 9 group memberships.
    Group :  Everyone    
    Group :  BUILTIN\Users    
    Group :  NT AUTHORITY\SERVICE    
    Group :  CONSOLE LOGON    
    Group :  NT AUTHORITY\Authenticated Users   
    Group :  NT AUTHORITY\This Organization   
    Group :  BUILTIN\IIS_IUSRS    
    Group :  LOCAL    
    Group :  【SID: S-1-5-82-0】

It contains the user group BUILTIN\Users, and I found that IIS APPPOOL\test can access all disks, read and modify.

But I found that IIS APPPOOL\test isn't in the Users Group of Computer Management.

How can I remove the IIS APPPOOL\test account from BUILTIN\Users group.

thanks very much.

Internet Information Services
0 comments No comments
{count} votes

3 answers

Sort by: Most helpful
  1. Lex Li (Microsoft) 5,072 Reputation points Microsoft Employee
    2024-05-31T11:16:03.85+00:00

    The user group membership and permissions you observed are required by IIS itself to work properly, as documented in https://learn.microsoft.com/en-us/troubleshoot/developer/webapps/iis/www-authentication-authorization/default-permissions-user-rights

    So, if your goal is to limit what resources can be accessed by IIS APPPOOL\test the right way is to harden the system with typical approaches (such as adding NTFS deny rules for such pool identities so that they lose access to part of Windows).

    Windows Server hardening is a very specific task that requires years of experience and proper guidance. Contact your server administrators or security officers if possible.

    0 comments No comments

  2. MotoX80 32,531 Reputation points
    2024-05-31T13:50:43.85+00:00

    See https://learn.microsoft.com/en-us/iis/manage/configuring-security/application-pool-identities

    Securing Resources

    Whenever a new application pool is created, the IIS management process creates a security identifier (SID) that represents the name of the application pool itself. For example, if you create an application pool with the name "MyNewAppPool," a security identifier with the name "MyNewAppPool" is created in the Windows Security system. From this point on, resources can be secured by using this identity. However, the identity is not a real user account; it will not show up as a user in the Windows User Management Console.

    0 comments No comments

  3. Bruce (SqlWork.com) 59,471 Reputation points
    2024-06-01T20:34:47.7966667+00:00

    The BUILTIN\Users groups is any authenticated user. This group should not have many permissions assigned to it. If you app pool account has too much access it’s probably not this group but rather the 【SID: S-1-5-82-0】account.

    0 comments No comments