Goodbye Network Service!

IIS 6.0 introduced a lot of features to increase reliability and security. As an architectural change the worker process w3wp.exe was introduced. To increase security IIS 6.0 by default launched the worker process using the NTAuthority\Network Service account. Network Service is a low privilege predefined account that was introduced in Windows 2003. All guidance/documentation recommend running the worker process under the Network Service.

With IIS 7.0 a new concept of  ApplicationPoolIdentity was introduced.  IIS 7.0 creates an ephemeral configuration file in C:\inetpub\temp\appPools and uses it.  The configuration file is ACL’ed using the ApplicationPoolIdentity (IIS APPPOOL\ApplicationPoolName).

iis7icacls

This adds a new layer of security as now the configuration file is only accessible by that application pool. The ApplicationPoolIdentity can also be used as the account for Anonymous Authentication.

iis7auth

Instead of using the generic IUSR account you can now ACL your content using the ApplicationPoolIdentity.

icacls

This would mean your content will only be available to the TestWebSite Application Pool. If any other application pool tried to access/run the content a 401.3 Unauthorized error message will be thrown. But in IIS 7.0 we still use Network Service to launch the w3wp.exe process.

With IIS 7.5 security is being tightened further and now the w3wp.exe process by default uses the ApplicationPoolIdentity to run. Going forward in Windows Server 2008 R2 and Windows 7 by default the worker process will now be run as the ApplicationPoolIdentity which is a Managed Service Account. Managed Service Accounts are a new concept in Win 7 / Windows 2008 R2 you can read more about them here https://technet.microsoft.com/en-us/library/dd367859.aspx

taskmgr

What this means is that you now need to ACL your content based on this ephemeral ApplicationPoolIdentity account (IIS APPPOOL\ApplicationPool ) instead of the NTAuthority\Network Service.

In the near future IIS will by default distance itself from Network Service. But you still do have the option to change the identity back to Network Service.

 

 

applicationpoolidentity

 

Bookmark and Share