Databases
StackOverflow2013
Postsdbo
PO
Body
 

Note that there are some explanatory texts on larger screens.

plurals
  1. PO
    text
    copied!<p>The <code>ApplicationPoolIdentity</code> is assigned membership of the <code>Users</code> group as well as the <code>IIS_IUSRS</code> group. On first glance this may look somewhat worrying, however the <code>Users</code> group has somewhat limited NTFS rights.</p> <p>For example, if you try and create a folder in the <code>C:\Windows</code> folder then you'll find that you can't. The <code>ApplicationPoolIdentity</code> still needs to be able to read files from the windows system folders (otherwise how else would the worker process be able to dynamically load essential DLL's).</p> <p>With regard to your observations about being able to write to your <code>c:\dump</code> folder. If you take a look at the permissions in the Advanced Security Settings, you'll see the following:</p> <p><img src="https://i.stack.imgur.com/2UnXC.png" alt="enter image description here"></p> <p>See that Special permission being inherited from <code>c:\</code>:</p> <p><img src="https://i.stack.imgur.com/ZLam7.png" alt="enter image description here"></p> <p>That's the reason your site's <code>ApplicationPoolIdentity</code> can read and <em>write</em> to that folder. That right is being inherited from the <code>c:\</code> drive.</p> <p>In a shared environment where you possibly have several hundred sites, each with their own application pool and Application Pool Identity, you would store the site folders in a folder or volume that has had the <code>Users</code> group removed and the permissions set such that only Administrators and the SYSTEM account have access (with inheritance).</p> <p>You would then individually assign the requisite permissions each <code>IIS AppPool\[name]</code> requires on it's site root folder.</p> <p>You should also ensure that any folders you create where you store potentially sensitive files or data have the <code>Users</code> group removed. You should also make sure that any applications that you install don't store sensitive data in their <code>c:\program files\[app name]</code> folders and that they use the user profile folders instead.</p> <p>So yes, on first glance it looks like the <code>ApplicationPoolIdentity</code> has more rights than it should, but it actually has no more rights than it's group membership dictates.</p> <p>An <code>ApplicationPoolIdentity</code>'s group membership can be examined using the SysInternals <a href="http://technet.microsoft.com/en-us/sysinternals/bb896653">Process Explorer tool</a>. Find the worker process that is running with the Application Pool Identity you're interested in (you will have to add the <code>User Name</code> column to the list of columns to display:</p> <p><img src="https://i.stack.imgur.com/xUQcp.png" alt="enter image description here"></p> <p>For example, I have a pool here named <code>900300</code> which has an Application Pool Identity of <code>IIS APPPOOL\900300</code>. Right clicking on properties for the process and selecting the Security tab we see:</p> <p><img src="https://i.stack.imgur.com/D9Zqu.png" alt="enter image description here"></p> <p>As we can see <code>IIS APPPOOL\900300</code> is a member of the <code>Users</code> group.</p>
 

Querying!

 
Guidance
An individual column

Larger individual text columns get their own page to allow for proper reading.

SQuiL has stopped working due to an internal error.

If you are curious you may find further information in the browser console, which is accessible through the devtools (F12).

Reload