|
Home > Archive > IIS Server Security > May 2005 > AD Custom App Pool identity, Custom IUSR identity, and a lot more.
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
AD Custom App Pool identity, Custom IUSR identity, and a lot more.
|
|
| pj_servadmin 2005-05-18, 6:03 pm |
| I am probably going to misquote the microsoft rep I talked to (it was months
ago), but here it goes:
"In (mass vhost/webhosting/isp) type scenarios you should segregate all web
applications that need high security by configuring custom App Pool
Identities for each. There is a 'return self' function in (asp/asp.net) that
would give an application access to everything running in the application
pool."
First off, is this correct? What is the 'return self' function? Is this
documented?
Second, If the above is correct, is the same thing to be said of the IUSR
account? Or does the IUSR account not matter because it only has access to
the same things you would over the internet via http - read only access
(unless there were IUSR write directories)?
Third, am I correct that the ASPNET/IWAM users are useless in IIS 6.0 if
running in worker process isolation mode (not iis 5.0 isolation mode)? Who or
where does ASP and/or ASP.NET run in worker process isolation mode?
Fourth, how come the 'Generate Security Audits' and 'Log On As A Service'
privileges only on the Network Service account, and not the IIS_WPG group? Is
this a security risk/useful to add those privileges to custom App Pool
identities that are placed inside the IIS_WPG?
Fifth, why is there no Microsoft Supplied tool to configure custom
Application Pool Identities (or is there?), even though this is apparently a
best practice to do so? (aka: this would decrease TCO)
Thanks in advance!
| |
| Ken Schaefer 2005-05-18, 8:50 pm |
| Sorry for the very quick answers - a bit busy at the moment:
1) You are probably thinking of "revert to self". If you are running a
thread under an impersonated account (via ImpersonateLoggedOnUser etc), then
calling RevertToSelf will set the thread's identity back to the identity of
the originating process (typically the Web Application Pool's identity). The
Web Application Pool's identity will have access to everything in the Web
App Pool. This makes it hard (probably impossible) to segregate content from
multiple websites that are running inside a single Web App Pool. If you do a
search for RevertToSelf you'll find a ton of info in MSDN etc:
http://www.google.com/search?q=site...om+revertToSelf
2) Each website should be in its own Web Application Pool. Each WAP should
have it's own identity. Each website (or application) in the pool should
have it's own custom IUSR_machinename account. NTFS ACLs should be set on
the content of each website so that only the relevant IUSR account (plus
Administrators, System, WAP identity etc) can access the content. This stops
IUSR for Site1 using the File System Object (or similar) to access content
in someone else's website
3) That is correct. IWAM and ASPNET are only used if you are running in IIS5
Compatibility Mode
4) Not sure about this - I will need to check
5) You can do this via the IIS Manager or you can do it via scripting (ADSI
or WMI). There is a tool adsutil.vbs that is supplied with IIS
(c:\inetpub\adminscripts) that makes it easy to work with the IIS ADSI
provider
Cheers
Ken
--
Blog: www.adopenstatic.com/cs/blogs/ken/
Web: www.adopenstatic.com
"pj_servadmin" <pjservadmin@discussions.microsoft.com> wrote in message
news:94E7A884-3A8D-43AD-823A-3CE9FD001471@microsoft.com...
:I am probably going to misquote the microsoft rep I talked to (it was
months
: ago), but here it goes:
: "In (mass vhost/webhosting/isp) type scenarios you should segregate all
web
: applications that need high security by configuring custom App Pool
: Identities for each. There is a 'return self' function in (asp/asp.net)
that
: would give an application access to everything running in the application
: pool."
:
: First off, is this correct? What is the 'return self' function? Is this
: documented?
:
: Second, If the above is correct, is the same thing to be said of the IUSR
: account? Or does the IUSR account not matter because it only has access to
: the same things you would over the internet via http - read only access
: (unless there were IUSR write directories)?
:
: Third, am I correct that the ASPNET/IWAM users are useless in IIS 6.0 if
: running in worker process isolation mode (not iis 5.0 isolation mode)? Who
or
: where does ASP and/or ASP.NET run in worker process isolation mode?
:
: Fourth, how come the 'Generate Security Audits' and 'Log On As A Service'
: privileges only on the Network Service account, and not the IIS_WPG group?
Is
: this a security risk/useful to add those privileges to custom App Pool
: identities that are placed inside the IIS_WPG?
:
: Fifth, why is there no Microsoft Supplied tool to configure custom
: Application Pool Identities (or is there?), even though this is apparently
a
: best practice to do so? (aka: this would decrease TCO)
:
: Thanks in advance!
|
|
|
|
|