Things to consider while setting up IIS websites
- Anonymous Access Account
- Application Pool
- NTFS Permissions
-
The
ApplicationPoolIdentity
is a special term for one of the correspondingIIS AppPool\<AppPoolAccounts>
in theIIS_IUSRS
security group.The reason is it ties the security context to the Application Pool rather than having the Anonymous Account running as
IUSR
and the Application pool running asApplicationPoolIdentity
leaving two security contexts to manage. -
For more control use a Custom Account in place of
ApplicationPoolIdentity
in the Application Pool Advanced Settings. Borrowing from Method One the Anonymous Account should be set toApplicationPoolIdentity
so there is now only one security context to manage.The main benefit to this approach over using
IUSR
is you know the password for the Custom Account, whereas IIS controls theIUSR
password making using it in place of theApplicationPoolIdentity
as the Application Pool Identity troublesome.
WARNING: UAC (User Account Control) can modify the NTFS permissions when running in "Admin Approval Mode", make sure the setting
User Account Control: Run all administrators in Admin Approval Mode
is set toFalse
in the Local Group Policy located underComputer settings\Windows settings\Security settings\Local policies\Security options
.
Depending on the method used for adding an Anonymous Account to a IIS Website there should be one of two accounts added to the Websites root folder;
- Method One -
IIS_IUSRS
(Read Permission) - Method Two - Custom Account (Read Permission)
At the basic level the Websites root folder should contain the following permissions;
User Account | Permission | Notes |
---|---|---|
Administrators |
Full Control | For File System access. |
<IIS Anonymous> |
Read & Execute | Either IIS_IUSRS or a Custom Account. |
Recommend disabling Inheritance on the Websites root folder to stop parent permissions propagating down and overwriting any existing permissions, which can be a costly exercise to restore.