IIS Server Security - Re: AD Custom App Pool identity, Custom IUSR identity, and a lot m

Author

Re: AD Custom App Pool identity, Custom IUSR identity, and a lot m

Ken Schaefer

2005-05-21, 7:51 am

"pj_servadmin" <pjservadmin@discussions.microsoft.com> wrote in message
news:D8BE69D2-BB09-4CD8-8435-55B77A063D21@microsoft.com...
: Thanks for the answers that you could provide so far Ken,
:
: Followup from question #1, the effects of revert self function in IIS 5.0
is
: the same as running all web applications in the same app pool in IIS 6.0,
: since by default IIS 5.0 has all applications run by the same user,
correct?

I think this would depend if the application involves ASP.NET or not.
ASP.NET applications, by default, all run inside a single aspnet_wp.exe
process. I'm not really familiar with how you segregate applications here,
though you may be able to use code-access-security to restrict what they can
do.

: Repost of the second half of Question #3: Who or where does ASP and/or
: ASP.NET run in worker process isolation mode?

I'm not entirely sure about this question. The Web Application Pool identity
(e.g. Network Service) is used as the default impersonated identity by
ASP.NET. ASP pages will use IUSR_<machinename> (if the default "allow
anonymous authentication" is maintained), or whatever Windows account the
remote user logs on as (if you force authentication).

: Clarification on Question #5, I need to make hundreds of IUSR's and
AppPool
: Id's. Maybe the question should have read: there is no tool provided by
: Microsoft to easily create dozens/hundreds of IUSR's and AppPool Id's,
: correct?

Um - any of the user management tools could be used. There are plenty of
command line tools for creating/manipulating domain and user accounts (from
ldifde, dsadd etc through to net user). You can call these from within a
batch file that also does your website provisioning. You can then use ADSI
or WMI to set the properties for the website/web app pool. The adsutil.vbs
tool located in c:\inetpub\adminscripts\ will make it easy to use ADSI

: New question: #6) I found
:
http://www.microsoft.com/technet/pr...86e85fa1ff.mspx
: (IIS and Built-in Accounts (IIS 6.0)) to be pretty helpful, any other
: articles/how to's/faq's/webcasts that explain some more in this topic
area?

Not OTOH, but I'll have a poke around.

Cheers
Ken

: Thanks!
:
: "Ken Schaefer" wrote:
:
: > Sorry for the very quick answers - a bit busy at the moment:
: >
: > 1) You are probably thinking of "revert to self". If you are running a
: > thread under an impersonated account (via ImpersonateLoggedOnUser etc),
then
: > calling RevertToSelf will set the thread's identity back to the identity
of
: > the originating process (typically the Web Application Pool's identity).
The
: > Web Application Pool's identity will have access to everything in the
Web
: > App Pool. This makes it hard (probably impossible) to segregate content
from
: > multiple websites that are running inside a single Web App Pool. If you
do a
: > search for RevertToSelf you'll find a ton of info in MSDN etc:
: > http://www.google.com/search?q=site...om+revertToSelf
: >
: > 2) Each website should be in its own Web Application Pool. Each WAP
should
: > have it's own identity. Each website (or application) in the pool should
: > have it's own custom IUSR_machinename account. NTFS ACLs should be set
on
: > the content of each website so that only the relevant IUSR account (plus
: > Administrators, System, WAP identity etc) can access the content. This
stops
: > IUSR for Site1 using the File System Object (or similar) to access
content
: > in someone else's website
: >
: > 3) That is correct. IWAM and ASPNET are only used if you are running in
IIS5
: > Compatibility Mode
: >
: > 4) Not sure about this - I will need to check
: >
: > 5) You can do this via the IIS Manager or you can do it via scripting
(ADSI
: > or WMI). There is a tool adsutil.vbs that is supplied with IIS
: > (c:\inetpub\adminscripts) that makes it easy to work with the IIS ADSI
: > provider
: >
: > Cheers
: > Ken
: >
: > --
: > Blog: www.adopenstatic.com/cs/blogs/ken/
: > Web: www.adopenstatic.com
: >
: >
: > "pj_servadmin" <pjservadmin@discussions.microsoft.com> wrote in message
: > news:94E7A884-3A8D-43AD-823A-3CE9FD001471@microsoft.com...
: > :I am probably going to misquote the microsoft rep I talked to (it was
: > months
: > : ago), but here it goes:
: > : "In (mass vhost/webhosting/isp) type scenarios you should segregate
all
: > web
: > : applications that need high security by configuring custom App Pool
: > : Identities for each. There is a 'return self' function in
(asp/asp.net)
: > that
: > : would give an application access to everything running in the
application
: > : pool."
: > :
: > : First off, is this correct? What is the 'return self' function? Is
this
: > : documented?
: > :
: > : Second, If the above is correct, is the same thing to be said of the
IUSR
: > : account? Or does the IUSR account not matter because it only has
access to
: > : the same things you would over the internet via http - read only
access
: > : (unless there were IUSR write directories)?
: > :
: > : Third, am I correct that the ASPNET/IWAM users are useless in IIS 6.0
if
: > : running in worker process isolation mode (not iis 5.0 isolation mode)?
Who
: > or
: > : where does ASP and/or ASP.NET run in worker process isolation mode?
: > :
: > : Fourth, how come the 'Generate Security Audits' and 'Log On As A
Service'
: > : privileges only on the Network Service account, and not the IIS_WPG
group?
: > Is
: > : this a security risk/useful to add those privileges to custom App Pool
: > : identities that are placed inside the IIS_WPG?
: > :
: > : Fifth, why is there no Microsoft Supplied tool to configure custom
: > : Application Pool Identities (or is there?), even though this is
apparently
: > a
: > : best practice to do so? (aka: this would decrease TCO)
: > :
: > : Thanks in advance!
: >
: >
: >