23

I'm looking for a good explanation of the IUSR and IWAM accounts used by IIS to help me better configure our hosting environment:

  • Why are they there?
  • What's the difference between them?
  • Do the names stand for something meaningful?
  • Are there any best practice changes I should make?
  • IIS also gives me options to run application pools as Network Service, Local Service or Local System. Should I?
  • My web server is part of a domain, how does this change things?

It seems to be common to create your own versions of these accounts when deploying multiple sites to a server which raises some extra questions:

  • When might I want to create my own IUSR and IWAM accounts?
  • How should I create these additional accounts so they have the correct permissions?

I am using both IIS 6 and and IIS 7 with mostly default configurations.

Generic Error
  • 593
  • 3
  • 8
  • 16

3 Answers3

34

IUSR and IWAM date back to the very early days of IIS when you installed it separately (not as an OS component). By default, if a web site permits anonymous authentication, the IUSR account is used with respect to permissions on the OS. This can be changed from the default. There are some security recommendations to at least rename the account, so it's not a "known" account, much like there is a recommendation to rename the administrator account on a server. You can learn more about IUSR and authentication at MSDN.

IWAM was designed for any out of process applications and is only used in IIS 6.0 when you're in IIS 5.0 isolation mode. You usually saw it with COM/DCOM objects.

With respect to application pool identities, the default is to run as the Network Service. You should not run as Local System because that account has rights greater than that of an administrator. So that basically leaves you to Network Service, Local Service, or a local/domain account other than those two.

As to what to do, it depends. One advantage of leaving it as Network Service is this is a limited privilege account on the server. However, when it access resources across the network, it appears as Domain\ComputerName$, meaning you can assign permissions that permit the Network Service account to access resources such as SQL Server running on a different box. Also, since it appears as the computer account, If you enable Kerberos authentication, the SPN is already in place if you're accessing the website by the server name.

A case where you'd consider changing the application pool to a particular Windows domain account if you want a particular account accessing networked resources such as a service account accessing SQL Server for a web based application. There are other options within ASP.NET for doing this without changing the application pool identity, so this isn't strictly necessary any longer. Another reason you'd consider using a domain user account is you were doing Kerberos authentication and you had multiple web servers servicing a web application. A good example is if you had two or more web servers serving up SQL Server Reporting Services. The front end would probably to a generic url such as reports.mydomain.com or reporting.mydomain.com. In that case, the SPN can only be applied to one account within AD. If you have the app pools running under Network Service on each server, that won't work, because when they leave the servers, they appear as Domain\ComputerName$, meaning you'd have as many accounts as you had servers serving up the app. The solution is to create a domain account, set the app pool identity on all servers to the same domain user account and create the one SPN, thereby permitting Kerberos authentication. In the case of an app like SSRS, where you may want to pass the user credentials through to the back-end database server, then Kerberos authentication is a must because then you're going to have to configure Kerberos delegation.

I know that's a lot to take in, but the short answer is, except for Local System, it depends.

Community
  • 1
K. Brian Kelley
  • 9,004
  • 31
  • 33
  • Worth noting that recommendations to rename these accounts don't come from Microsoft. System accounts have static and well-documented SIDs and are easily hackable regardless of the display name. – Thomas Aug 18 '17 at 23:06
9

IUSR = Internet User, i.e. any anonymous, un-authenticated visitor to your website (i.e. pretty much everybody)

IWAM = Internet Web Application Manager, i.e. all your ASP and .NET applications will run under this account

Generally, IUSR and IWAM should ONLY have access to precisely what they need. They should never be given access to anything else, in case these accounts become compromised then they can't access anything critical.

That's about all I can help with out of your list of questions, others with more experience in IIS administration might be able to help you further!

Mark Henderson
  • 68,316
  • 31
  • 175
  • 255
7

I always resort to this guide -

http://learn.iis.net/page.aspx/140/understanding-the-built-in-user-and-group-accounts-in-iis-70/

You can find a lot on iis.net

to put it simply - IUSR is simply out of the box guest accounts that have permissions over c:\inetpub\wwwroot by default.

William Hilsum
  • 3,506
  • 5
  • 28
  • 39