IIS Server Security - Purpose of IWAM Account IIS 6.0?

Author

Purpose of IWAM Account IIS 6.0?

Will

2007-04-19, 1:16 am

Is it right that the only purpose of the IWAM_<MachineName> account is to
run any process that is spawned from within the IIS 6.0 server process?

What is the security context of an ASP application that runs in the server
process without spawning a separate process? The IIS service appears to
startup in SYSTEM context, and I would really like it to NOT run in-process
applications in such a permissive context.

--
Will

Ken Schaefer

2007-04-19, 7:19 am

Hi,

IIS 6.0 supports running in two different modes. The native mode (or Worker
Process mode) means that all user code runs in worker processes (w3wp.exe).
The identity of these worker processes is configurable by changing the
properties of the Web Application Pool.

IIS 6.0 can also be run in IIS 5.0 Compatibility Mode. In that case you can
run application in Low, Medium or High isolation. Low isolation apps run in
InetInfo.exe. medium apps all run in a single dllhost.exe process, and high
isolation apps run in an individual dllhost.exe. the default identity for
these dllhost.exe processes is IWAM_<machinename>, and is configurable in
COM+

Cheers
Ken

"Will" <westes-usc@noemail.nospam> wrote in message
news:O_mdnc4d8-h6KLvbnZ2dnUVZ_oWdnZ2d@giganews.com...
> Is it right that the only purpose of the IWAM_<MachineName> account is to
> run any process that is spawned from within the IIS 6.0 server process?
>
> What is the security context of an ASP application that runs in the server
> process without spawning a separate process? The IIS service appears to
> startup in SYSTEM context, and I would really like it to NOT run
> in-process applications in such a permissive context.
>
> --
> Will
>