Application Pool (w3wp.exe worker process) based on our specified user identity running, IIS need to use this as a user to access various system resources and network resources, such as disk access resources, perform certain system functions, access to the register, and access to network resources. IIS default user identity is the Network Service account, this account, but has full rights to the only limited access to the Web server and the network when running a standard Web site. IIS 7.0 provides users with three kinds of built-in accounts.
Built-in accounts include: Network Service, Local Service, Local System
Network Service account
application pool default user is the built-in Network Service account. Network Service account on the local computer and network resources with only minimal access rights. When another device to access the same domain (or with a trusted domain) in a resource, the server can use the Network Service account network credentials for authentication. This device can be a database, it can be a UNC share, it may also be able to access any resources through the network. The form of certificates Network Service account is DomainName \ ServerName $. For example, in DomainA domain, if a server named WebServer1 process of using Network Service account to run a website, while also running a database called SQLServer1, then called SQLServer1 for proper operation of the database, we must DomainA \ WebServer1 $ account grant the necessary SQL access rights.
The following permissions are explicitly assigned to the Network Service account.
1, adjusted to a process memory quota
2, bypassing roaming check
3. Create global objects
4, to generate a security audit
5, after the end of the authentication process simulates a client
6, replace a process level token
as a member of the Everyone group, Network Service account also inherits the following permissions:
7, access to the computer from the network
and finally, as a member of IIS_IUSRS group, network Service account also inherits the following permissions:
8, as a batch job
Local Service account
built-in Local Service account that can not access network resources as Network Service account, but has the Network Service account similar local resource access. In Windows Vista and in Windows Server 2008, Local Service account has the following local access to resources, and these rights are Network Service accounts do not have:
1, modify the system time
2, modify the system time zone
if you do not access network resources, then you can use the Local Service account.
Local System account
built-in Local System account has full access to the local system. But when we use the Local System account, be sure to be careful, as far as possible avoid using this account. When an unauthorized user to browse a website server, or when the unauthorized users to upload their own content, if the application pool identity to Local System account, then the user can perform any operation in the Web server .
Although the Local System account could bring a lot of security risks, but the Local System account still has a practical use. If you need a Web site errors in positioning, at the same time, the application pool identity to Local System account identity and tested on this basis, and assuming the website of error is a permissions issue by the application pool identity is triggered , then we can quickly find the root of the problem. Of course, this way of positioning error also need to consider other factors. After a successful positioning error, we must set the application pool identity to a user with reasonable authority.
Custom user accounts
similar to IIS 6.0, IIS 7.0 also allows us to create a custom user. The user can be either a local Windows user, it can also be a domain user. As for what kind of user to create, it depends entirely on IIS 7.0 application environment and our specific needs. If you are creating a domain user, then it can be used like a UNC share to access network resources as a visit or as access to network resources such as databases. At this point we just need to make an application pool user has permission to access network resources. The need to create a custom user, in the following reasons:
1, the existing built-in accounts can not meet our needs. For example, if insufficient Local Service account privileges, while the Local System account privileges are too high, then you can create a proper account based on the permissions required.
2, in order to protect the site, the site will need to be separated. In a shared environment, if a Web server running multiple sites, and these sites and distrust each other, then we can use a custom user approach to problem solving. A shared Web hosting environment is the main reason for the use of user-defined self. Even within the same organization, different Web sites are separated from each other is also very interesting, because: a shared Web hosting environment, if a Web site has been compromised, as long as we have a reasonable system configuration, other Web sites, applications, application pools will not be affected.
3, need to use the application pool identity to access a network resource. If you need to access a network resource, you can create a custom domain user, user identification and application pool assigned to this custom user. As a result, if the program running in the application pool identity user needs access to a network resource, then the program will use the custom user access to network resources.