0

So I know that variations on this question have been asked tons of times, but I'm still confused so I'm hoping to ask as simply as I can and hopefully you'll be able to answer as simply as you can.

In IIS7.5, I have a website that run under an application pool identity of "NetworkService". The anonymous user always runs as IUSR.

When an anonymous user opens my web page and tries to trigger an action that will write information to a file, is it NetworkService that needs write permission on the folder or is it IUSR?

It's tricky to understand as, logically, if the application is running as NetworkService and the application is trying to write the file, then the application account should be the one with the permissions. However, this would seem to make the user identity redundant. So does my application authenticate as the user or as the application?

Ambulare
  • 131
  • 4
  • Hasn't this changed quite significantly over the years. We currently configure folder permissions using the faked out app pool name. I.e. IIS AppPool\DefaultAppPool. – Jacques Aug 08 '14 at 11:01

1 Answers1

1

This depends whether you're using ASP.NET with impersonation or not (either ASP.NET without impersonation or no ASP.NET at all).
Impersonation causes the .NET code to be executed with the visiting user's security context (if they're anonymous, IUSR. If not - their own account). It's a security issue and has little use, but a lot of less experienced developers/admins enable it because it seems to magically solve "access denied" issues.

If you don't have impersonation enabled (good for you!) the security context is the one of the application pool.

If you don't believe me, you can choose a file and change its permissions to allow writes/modifications by a single user (e.g. IUSR), and see if your site can modify it now.

Nitz
  • 1,018
  • 1
  • 8
  • 18
  • Procmon (http://live.sysinternals.com/procmon.exe) is an excellent tool for watching what's actually happening and who it's happening as! – TristanK Aug 10 '14 at 11:30
  • @Nitz I'm using PHP, it's just that the web hosting is a Windows/IIS server. In this case, is the user identity irrelevant then? So the application never runs as IUSR and all the file level permissions need to be set against NetworkService (the application pool account)? – Ambulare Aug 11 '14 at 08:15
  • @Ambulare Yes, As long as you use php in-process (running inside the IIS worker) and not out-process (another process communicating with IIS using some sort of socket). As for making sure of that, like TristanK pointed out, you can play detective using Procmon, but imho you can just set permissions to deny IUSR and see if your application breaks down :) – Nitz Aug 11 '14 at 08:56
  • @Nitz - sorry to cross examine you, but I'm new to IIS and you seem to know your stuff. Through a process of elimination (switching permissions on and off) I've gathered that it's IUSR that seems to need the write permissions. What can I deduce from this? Why would my PHP application be running as IUSR not as NetworkService? – Ambulare Aug 11 '14 at 09:12
  • No problem. As I'm new to Linux, I know how you feel :). I found [this](http://serverfault.com/questions/282806/should-i-impersonate-php-via-fastcgi) for you - the "impersonate" setting probably does the same thing as ASP.net impersonation. In my experience, it's **much** better to disable it than change the anonymous user account. – Nitz Aug 11 '14 at 09:44