Bobcares

How to Set up IIS Application Pool Custom Account Identity Permissions?

by | Aug 23, 2024

Do you need more details on configuring the custom account permissions for an IIS application pool identity?, this article is for you. At Bobcares, we assist our customers with several IIS queries on a daily basis as part of our Server Management Services.

Overview
  1. More on Custom Account Identity Permissions for an IIS Application Pool
  2. Steps to Setup the System
  3. Benefits of Custom Account Identity in IIS App Pool
  4. Conclusion

More on Custom Account Identity Permissions for an IIS Application Pool

When running web applications on Internet Information Services (IIS) in Windows systems, application pools are used to separate applications for improved security, dependability, and resource management. Each application pool has its own identity, which affects the application pool’s rights on the system. By default, an application pool is run by a built-in account, such as Network Service or ApplicationPoolIdentity. In some situations, we may need to setup an application pool to operate under a custom identity, sometimes known as a “custom account.”

iis application pool identity custom account permissions

When using a custom account as an application pool identity, we must be careful to provide suitable permissions to guarantee that the application pool can do its functions while maintaining security. Typically, permissions for an application pool operating under a custom identity may be managed as follows:

Management of IIS App Pool

1. File System Permissions: Check that the custom account has the necessary rights for the files and folders required by the web application. This contains read, write, modify, and execute rights, as needed. We may need to provide rights to certain files or directories within the web application’s directory structure.

2. Registry Permissions: If the app needs access to registry settings, we must provide the custom account the necessary rights to read from or write to the proper registry keys.

3. Database Permissions: If the application interacts with a database, make sure the custom account has the proper permissions to access and edit it. This might include providing rights at the database level as well as ensuring that the account has network access to the database server if it is remote.

4. Network Permissions: If the app interfaces with other services or systems over the network, make that the custom account has the necessary network permissions, such as access to network resources or the ability to establish outbound connections.

5. Other Resources: According to the application’s specific needs, we may need to provide other rights to access resources like as message queues, COM objects, or other external services.

Steps to Setup the System

1. Create a Custom Account

Windows User Account: We must ensure the custom account is a valid Windows user account. It can be a domain account or a local account.

2. Assign the Custom Account to the Application Pool

i. Open IIS Manager by pressing Windows + R, type inetmgr, and press Enter.

ii. In the left pane, click on “Application Pools.”

iii. Choose the application pool we want to configure.

iv. Right-click the application pool and select “Advanced Settings.”

v. In the “Process Model” section, find “Identity” and click on the ellipsis (…) button.

vi. Choose “Custom account” and click “Set.”

v. Enter the credentials for the custom account and click “OK.”

3. Assign File System Permissions

We must ensure the custom account has the necessary permissions on the file system.

i. Go to the directory where the web application is located.

ii. Right-click the directory and select “Properties.”

iii. Go to the “Security” tab.

iv. Click “Edit” to change permissions.

v. Add the custom account and assign the required permissions (typically “Read & execute,” “Read,” and “List folder contents”).

4. Assign Permissions to Other Resources

Depending on the application’s requirements, we may need to assign additional permissions:

i. Database Access: If the application connects to a database, ensure the custom account has appropriate permissions to access the database.

ii. Network Resources: If the application requires access to network shares or other resources, configure permissions for those resources accordingly.

5. Test the Configuration

i. In IIS Manager, select the application pool and click “Recycle” to restart it.

ii. Test the web application to ensure it functions correctly with the new account.

Benefits of Custom Account Identity in IIS App Pool

Using a custom account for an IIS application pool provides several benefits:
1. Enhanced Security

i. Least Privilege: The custom account can be granted only the permissions needed for the application, minimizing potential security risks.

ii. Separation of Duties: It also isolates application pool identities from other system accounts, reducing the risk of cross-application security issues.

2. Improved Control

i. Fine-Grained Permissions: It allows for precise control over what resources and files the application can access.

ii. Custom Settings: Also, enables specific configuration settings and policies tailored to the needs of the application.

3. Isolation

Application Isolation: Custom account keeps the application pool and its resources separate from other applications and system processes, which can improve stability and security.

4. Ease of Management

i. Simplified Troubleshooting: It is easier to identify and resolve issues when each application pool uses a distinct account.

ii. Dedicated Account Management: Custom account allows for better management of account-specific policies and permissions.

5. Audit and Monitoring

i. Enhanced Logging: Custom accounts can make it easier to track and audit activity related to specific applications.

ii. Focused Monitoring: Monitoring tools can more easily track the behavior and performance of applications running under specific accounts.

6. Compliance

Regulatory Requirements: Custom account meet security and compliance requirements by adhering to the principle of least privilege and having clear separation of duties.

7. Resource Management

Dedicated Resources: Custom accounts can help ensure that applications have dedicated resources, which can lead to better performance and reliability.

So, using a custom account for IIS application pools improves security, control, and manageability, while also helping with compliance and monitoring.

[Searching solution for a different question? We’re happy to help.]

Conclusion

In short, creating specific account permissions for IIS application pool identities results in a more secure and controllable environment. It enables fine-grained access control, separates apps for increased stability, and simplifies troubleshooting. By granting particular rights to a custom account, we guarantee that apps run with the bare minimum of access, improving overall security and compliance.

0 Comments

Submit a Comment

Your email address will not be published. Required fields are marked *

Never again lose customers to poor
server speed! Let us help you.

Privacy Preference Center

Necessary

Necessary cookies help make a website usable by enabling basic functions like page navigation and access to secure areas of the website. The website cannot function properly without these cookies.

PHPSESSID - Preserves user session state across page requests.

gdpr[consent_types] - Used to store user consents.

gdpr[allowed_cookies] - Used to store user allowed cookies.

PHPSESSID, gdpr[consent_types], gdpr[allowed_cookies]
PHPSESSID
WHMCSpKDlPzh2chML

Statistics

Statistic cookies help website owners to understand how visitors interact with websites by collecting and reporting information anonymously.

_ga - Preserves user session state across page requests.

_gat - Used by Google Analytics to throttle request rate

_gid - Registers a unique ID that is used to generate statistical data on how you use the website.

smartlookCookie - Used to collect user device and location information of the site visitors to improve the websites User Experience.

_ga, _gat, _gid
_ga, _gat, _gid
smartlookCookie
_clck, _clsk, CLID, ANONCHK, MR, MUID, SM

Marketing

Marketing cookies are used to track visitors across websites. The intention is to display ads that are relevant and engaging for the individual user and thereby more valuable for publishers and third party advertisers.

IDE - Used by Google DoubleClick to register and report the website user's actions after viewing or clicking one of the advertiser's ads with the purpose of measuring the efficacy of an ad and to present targeted ads to the user.

test_cookie - Used to check if the user's browser supports cookies.

1P_JAR - Google cookie. These cookies are used to collect website statistics and track conversion rates.

NID - Registers a unique ID that identifies a returning user's device. The ID is used for serving ads that are most relevant to the user.

DV - Google ad personalisation

_reb2bgeo - The visitor's geographical location

_reb2bloaded - Whether or not the script loaded for the visitor

_reb2bref - The referring URL for the visit

_reb2bsessionID - The visitor's RB2B session ID

_reb2buid - The visitor's RB2B user ID

IDE, test_cookie, 1P_JAR, NID, DV, NID
IDE, test_cookie
1P_JAR, NID, DV
NID
hblid
_reb2bgeo, _reb2bloaded, _reb2bref, _reb2bsessionID, _reb2buid

Security

These are essential site cookies, used by the google reCAPTCHA. These cookies use an unique identifier to verify if a visitor is human or a bot.

SID, APISID, HSID, NID, PREF
SID, APISID, HSID, NID, PREF