Windows Security

  • Article

This topic describes the Window Server security accounts and groups that Windows Server AppFabric creates and leverages. These groups provide the physical implementation of the conceptual security roles defined by the AppFabric system.

Two security groups are created by AppFabric during installation: COMPUTERNAME\AS_Administrators and COMPUTERNAME\AS_Observers. AppFabric also uses the Windows built-in NT AUTHORITY\Local Service and BUILTIN\IIS_IUSRS accounts. NT AUTHORITY\Local Service serves at the logon identity for the Event Collection service and the Workflow Management service. The BUILTIN\IIS_IUSRS account is used as a SQL Server login account for application pool identity of NET services with the persistence database. AppFabric system administrator-related tasks, such as deploying applications and configuring file system security, require membership in the local Administrators group.

AppFabric Conceptual Security Roles

Model your security solution by classifying your users into one of three conceptual AppFabric security roles: Application Server Administrators, Application Server Observers, and Application Server Users. These three conceptual security roles carry specific permissions to support administrators, observers, and users, respectively. You can compare using the AppFabric conceptual security roles to creating a simple logical flowchart at the beginning of developing a computer program. By completing the conceptual design first, the physical implementation is an easier and more fluid process. You then take the users assigned to each role and map them initially to Windows security accounts and groups, and eventually to SQL Server database roles. For more information on the conceptual AppFabric security roles, see Security Model for Windows Server AppFabric.

AppFabric Windows Security Groups

AppFabric Administrators Group

The AppFabric administrators Windows security group, AS_Administrators, gives you full control over application configuration, monitoring, and persistence. Members of the group can:

  • Suspend, resume, terminate, and delete persisted instances

  • Create and remove event sources and event collectors

  • View, purge, and archive monitoring data

The AppFabric system NT services (Event Collection service and Workflow Management service) automate AppFabric management tasks such as collecting events and recovering instances after a system failure or restart. The AppFabric setup designates NT AUTHORITY\Local Service as the logon account for the Event Collection service and Workflow Management service. During setup, the NT AUTHORITY\Local Service account is also made a member of the COMPUTERNAME\AS_Administrators local security group. This ensures that the AppFabric system services have the proper permissions to carry out their operations.

Note

Other NT services can also use LocalService as the logon account. To avoid any service running as the LocalService account to have permissions to all other services running as this same account identity, Windows uses the concept of a SID per each service. This means that Event Collection service and Workflow Management service use a proxy account for LocalService to the COMPUTERNAME\AS_Administrators local security group. The accounts are of the format NT SERVICE\AppFabricEventCollectionService and NT SERVICE\AppFabricWorkflowManangementService, and will be seen in the COMPUTERNAME\AS_Administrators local security group after installation is complete.

Attribute Value

Name

COMPUTERNAME\AS_Administrators

Rights
  • Read/administer persistence data

  • Read/write/administer monitoring data

  • Read configuration information

  • Command applications

  • Subscribe to events

Default members

NT AUTHORITY\Local Service represented by NT SERVICE\AppFabricEventCollectionService and NT SERVICE\AppFabricWorkflowManangementService

Default member of

None

AppFabric Observers Group

The Application Server observers Windows security group, AS_Observers, gives you full visibility into application persistence and monitoring data. Application Server Observers (AS_Observers) can:

  • Enumerate applications and services

  • View application and service configuration

  • View monitoring data

  • Examine persisted instances

Important

By default, members of the Application Server Observers security group can view tracking and persistence data for all applications on the local server or domain.

Attribute Value

Name

COMPUTERNAME\AS_Observers

Rights
  • Read persistence data

  • Read monitoring data

  • Read configuration information

Default members

None

Default member of

None

AppFabric Users Group

Assign IIS application pool identity accounts to this role to allow applications to use shared persistence stores and shared system services such as timers. The Application Server Users role is assigned to the IIS security group BUILTIN\IIS_IUSRS. For more information about the IIS_IUSRS built-in group, see IIS 7.0: Configure Web Server Security (https://go.microsoft.com/fwlink/?LinkID=131918).

Due to its local scope, the BUILTIN\IIS_IUSRS group is not used within a domain environment. As you develop your domain security model, the types of members that would be in the locally scoped BUILTIN\IIS_IUSRS group will be replaced with the application identities of the IIS application pools hosting NET WCF and WF services in a domain users group.   Since domain accounts are not created by the AppFabric installation program, you will need to manually create a domain-level representative of BUILTIN\IIS_IUSRS. For instance, you can create the MyDomain\MyDomainASUsers group, and add the domain identities of the AppFabric IIS application pools to this group. When configuring AppFabric persistence, you will specify this group  (MyDomain\MyDomainASUsers) as appropriate. This occurs when providing input in the Users field within the Security Configuration section of the Persistence Store Configuration dialog box, or within the –Users field within the Initialize-ASPersistenceSqlDatabase cmdlet.  Doing this will add the MyDomain\MyDomainASUsers SQL login to the AppFabric persistence database.  At runtime, the identities of the IIS application pools will have permission into the persistence database under the System.Activities.DurableInstancing.InstanceStoreUsers role. For more information about how to configure the Users group during configuration using the Initialize-ASPersistenceSqlDatabase cmdlet, see Create and Initialize a Database Using Windows Server AppFabric Cmdlets. For more information about how to configure the Users group during configuration using the Windows Server AppFabric Configuration Wizard, see Windows Server AppFabric Configuration Wizard. For information on the difference in default application pool identity from IIS 7 to IIS 7.5, see Application Pool Identities.

Attribute Value

Name

BUILTIN\IIS_IUSRS

Rights
  • Read/write persistence data

  • Publish events

  • Read configuration information

Windows System Administrators Group

Assign users to the normal Windows system Administrators group to allow them to deploy and undeploy applications by using tools such as IIS Manager or MSDeploy. Membership in this group also allows editing of server, site, or application configuration.

Attribute Value

Name

COMPUTERNAME\Administrators

Rights

Full control over application files, directories, and configuration.

AppFabric Domain Security

When using more than one AppFabric server in a Web farm, it is a best practice to shift security from the local AS_Administrators and AS_Observers Windows security groups created during installation on a single computer to using their domain counterparts across multiple computers. Domain security accounts and groups must be properly configured before you can successfully configure AppFabric on Web farm servers. If you are using Active Directory, you can design your AppFabric security roles by using domain accounts to simplify security across computers.  The AppFabric administrator can explicitly create two custom group accounts through Active Directory for the administrators and observers roles. For example, you could call them “DOMAIN\MyAppFabricAdmins” and “DOMAIN\MyAppFabricObservers”.   The administrator can then grant administrative permissions to the DOMAIN\MyAppFabricAdmins group on the computer that is using AppFabric, and similarly with “DOMAIN\MyAppFabricObservers”.

The local AS_Administrators and AS_Observers groups created during AppFabric setup on a single server are not used to secure a Web farm using multiple AppFabric servers. You will have to use domain accounts instead. Be aware that the AppFabric installation and configuration programs will not create any domain accounts for you, so you must create them manually by using Active Directory. Create domain Windows security groups representing each of the AppFabric conceptual roles (Administrators, Observers, and Users). Grant the users assigned to these groups the appropriate privileges associated with each AppFabric conceptual role, but at the domain scope level. You will then specify them during the AppFabric configuration process.

The service identities under which the Event Collection service and Workflow Management service will run on the various servers in the Web farm should be in the domain AppFabric administrators group. Typically this will include the AppFabric domain administer user account. The “Log on as a service” privilege must be granted to the users in this group and enforced in the domain. This right allows a security principal to log on as a service. Any service that runs under a separate user account must be assigned the right.