Re: AD Custom App Pool identity, Custom IUSR identity, and a lot m
Web Server forum
Back To The Forum Home!Search!Private Messaging System
Visit your User Control Panel!Register your FREE username now!Visit Our Calendar!View the Member List!Faqs!Search our Forums!

Web Server Talk Web Server Talk > Web Servers reviews > IIS server support > IIS Server Security > Re: AD Custom App Pool identity, Custom IUSR identity, and a lot m




  Last Thread   Next Thread Next
  Show Printable Version Email this Page Subscribe to this Thread      Post New Thread    Post A Reply      

    Re: AD Custom App Pool identity, Custom IUSR identity, and a lot m  
pj_servadmin


View Ip Address Report This Message To A Moderator Edit/Delete Message


 
05-19-05 10:52 PM

Thanks for the answers that you could provide so far Ken,

Followup from question #1, the effects of revert self function in IIS 5.0 is
the same as running all web applications in the same app pool in IIS 6.0,
since by default IIS 5.0 has all applications run by the same user, correct?

Repost of the second half of Question #3: Who or where does ASP and/or
ASP.NET run in worker process isolation mode?

Clarification on Question #5, I need to make hundreds of IUSR's and AppPool
Id's. Maybe the question should have read: there is no tool provided by
Microsoft to easily create dozens/hundreds of IUSR's and AppPool Id's,
correct?

New question: #6) I found
http://www.microsoft.com/technet/pr...86e85fa1ff.mspx
(IIS and Built-in Accounts (IIS 6.0)) to be pretty helpful, any other
articles/how to's/faq's/webcasts that explain some more in this topic area?

Thanks!

"Ken Schaefer" wrote:

> Sorry for the very quick answers - a bit busy at the moment:
>
> 1) You are probably thinking of "revert to self". If you are running a
> thread under an impersonated account (via ImpersonateLoggedOnUser etc), th
en
> calling RevertToSelf will set the thread's identity back to the identity o
f
> the originating process (typically the Web Application Pool's identity). T
he
> Web Application Pool's identity will have access to everything in the Web
> App Pool. This makes it hard (probably impossible) to segregate content fr
om
> multiple websites that are running inside a single Web App Pool. If you do
 a
> search for RevertToSelf you'll find a ton of info in MSDN etc:
> http://www.google.com/search?q=site...om+revertToSelf
>
> 2) Each website should be in its own Web Application Pool. Each WAP should
> have it's own identity. Each website (or application) in the pool should
> have it's own custom IUSR_machinename account. NTFS ACLs should be set on
> the content of each website so that only the relevant IUSR account (plus
> Administrators, System, WAP identity etc) can access the content. This sto
ps
> IUSR for Site1 using the File System Object (or similar) to access content
> in someone else's website
>
> 3) That is correct. IWAM and ASPNET are only used if you are running in II
S5
> Compatibility Mode
>
> 4) Not sure about this - I will need to check
>
> 5) You can do this via the IIS Manager or you can do it via scripting (ADS
I
> or WMI). There is a tool adsutil.vbs that is supplied with IIS
> (c:\inetpub\adminscripts) that makes it easy to work with the IIS ADSI
> provider
>
> Cheers
> Ken
>
> --
> Blog: www.adopenstatic.com/cs/blogs/ken/
> Web: www.adopenstatic.com
>
>
> "pj_servadmin" <pjservadmin@discussions.microsoft.com> wrote in message
> news:94E7A884-3A8D-43AD-823A-3CE9FD001471@microsoft.com...
> :I am probably going to misquote the microsoft rep I talked to (it was
> months
> : ago), but here it goes:
> : "In (mass vhost/webhosting/isp) type scenarios you should segregate all
> web
> : applications that need high security by configuring custom App Pool
> : Identities for each. There is a 'return self' function in (asp/asp.net)
> that
> : would give an application access to everything running in the applicatio
n
> : pool."
> :
> : First off, is this correct? What is the 'return self' function? Is this
> : documented?
> :
> : Second, If the above is correct, is the same thing to be said of the IUS
R
> : account? Or does the IUSR account not matter because it only has access 
to
> : the same things you would over the internet via http - read only access
> : (unless there were IUSR write directories)?
> :
> : Third, am I correct that the ASPNET/IWAM users are useless in IIS 6.0 if
> : running in worker process isolation mode (not iis 5.0 isolation mode)? W
ho
> or
> : where does ASP and/or ASP.NET run in worker process isolation mode?
> :
> : Fourth, how come the 'Generate Security Audits' and 'Log On As A Service
'
> : privileges only on the Network Service account, and not the IIS_WPG grou
p?
> Is
> : this a security risk/useful to add those privileges to custom App Pool
> : identities that are placed inside the IIS_WPG?
> :
> : Fifth, why is there no Microsoft Supplied tool to configure custom
> : Application Pool Identities (or is there?), even though this is apparent
ly
> a
> : best practice to do so? (aka: this would decrease TCO)
> :
> : Thanks in advance!
>
>
>




[ Post a follow-up to this message ]



    Sponsored Links  




 



   All times are GMT. The time now is 06:45 PM.      Post New Thread    Post A Reply      
  Last Thread   Next Thread Next


Most Popular forums 
Apache Server MySQL for Windows Sendmail
Red Hat Networking SuSe Linux Debian Linux
FreeBSD administration Sun Solaris administration Unix Shell programming
WebSphere Portal Server Exchange 2000 administration PostgreSQL administration
Linux Security Computer Security Firewalls

Forum Jump:
Rate This Thread:

Forum Rules:
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts 		HTML code is OFF
vB code is ON
Smilies are ON
[IMG] code is OFF
 
Medical and Health forum | Computer Games Reviews | Graphics design forum

Back To The Top
Home | Usercp | Faq | Register