IIS Server Security - Application Pool Identity

Author

Application Pool Identity

Russ

2006-07-26, 1:25 pm

I am planning to host mulitple web site's on a single server with each web
site/applicaiton being assigned a seperate applicaiton pool.

For secutiry and auditing reasons I would like to assign each applicaiton
pool a specific identity to for the worker process's to run under.

2 questions -

1 - is this a good idea?
2 - If so, I what are the minium security rights required for the app pool
users?

Thanks!

Russ.

Eric Chaves

2006-07-26, 1:25 pm

Hi Russ,

I'm guessing here, but I think you should consider that each AppPool
runs under it's own process, and so if you have *too much* proccess running
they may have a processor starving and stuff like that. Do you know the
avarage number of sites that will be hosted?
Regarding the second point, to run an app pool under another identity,
you need to add the user account to IIS_WPG group. Do not assign the
permissions directly to the account because it seems that IIS has some hard
coded checking against the identity belonging to this group.

Cheers,

Eric

"Russ" <Russ@discussions.microsoft.com> wrote in message
news:BF1D183E-4B22-45C2-830A-0A78E909C89F@microsoft.com...
>I am planning to host mulitple web site's on a single server with each web
> site/applicaiton being assigned a seperate applicaiton pool.
>
> For secutiry and auditing reasons I would like to assign each applicaiton
> pool a specific identity to for the worker process's to run under.
>
> 2 questions -
>
> 1 - is this a good idea?
> 2 - If so, I what are the minium security rights required for the app pool
> users?
>
> Thanks!
>
> Russ.

David Wang [Msft]

2006-07-26, 7:27 pm

Isolating each website with its own Application Pool usually means you plan
to host very few websites on that server because process creation overhead
will kill the server if you try for hundreds/thousands.

1. Depends on your server's available hardware resources (CPU, RAM, NIC,
HDD). Depends on what you are trying to achieve
2. Look at security privileges of "Network Service"

--
//David
IIS
http://blogs.msdn.com/David.Wang
This posting is provided "AS IS" with no warranties, and confers no rights.
//

"Russ" <Russ@discussions.microsoft.com> wrote in message
news:BF1D183E-4B22-45C2-830A-0A78E909C89F@microsoft.com...
>I am planning to host mulitple web site's on a single server with each web
> site/applicaiton being assigned a seperate applicaiton pool.
>
> For secutiry and auditing reasons I would like to assign each applicaiton
> pool a specific identity to for the worker process's to run under.
>
> 2 questions -
>
> 1 - is this a good idea?
> 2 - If so, I what are the minium security rights required for the app pool
> users?
>
> Thanks!
>
> Russ.

Ken Schaefer

2006-07-28, 7:26 am

Do you control the web applications?

If not (i.e. other people are writing the applications) and each application
can not be trusted to not be malicious (e.g. one application may try to
subvert another application, or steal information related to another
application, or read/write to the files that belong to another application),
then you will need to look at things such as process isolation, and ensuring
that each process runs as a separate user. Then you can use NTFS ACLs to
keep each application out of every other application.

Cheers
Ken

"Russ" <Russ@discussions.microsoft.com> wrote in message
news:BF1D183E-4B22-45C2-830A-0A78E909C89F@microsoft.com...
>I am planning to host mulitple web site's on a single server with each web
> site/applicaiton being assigned a seperate applicaiton pool.
>
> For secutiry and auditing reasons I would like to assign each applicaiton
> pool a specific identity to for the worker process's to run under.
>
> 2 questions -
>
> 1 - is this a good idea?
> 2 - If so, I what are the minium security rights required for the app pool
> users?
>
> Thanks!
>
> Russ.