JeReLo
asked on
How to give IIS application access to a directory
Question requires network security knowledge, with practical IIS management skill. Needs discussion of network security principles and steps to give access for IIS application name to web file directory.
Ok, I want to make a user, so I can add the user as an object, when I’m setting permissions.
In this case, the user is an entity that is named as an application name inside IIS. This application name also has an account in SQL and logs in to a database on a server. But how do I give it permission on a file or directory? It isn’t a real user, but just an IIS object. Yet I can see one iis object, DefaultAppPool.
I am working with SBS 2011, and I’m trying to let it access an IIS application name, as though it was a security principal object. Can SBS set up a reference to this application name, so as to let it represent it as a security principal?
If not, what’s the process to give an application access to a web directory?
I want to work the steps out for SBS 2011, IIS 7.5.
Ok, I want to make a user, so I can add the user as an object, when I’m setting permissions.
In this case, the user is an entity that is named as an application name inside IIS. This application name also has an account in SQL and logs in to a database on a server. But how do I give it permission on a file or directory? It isn’t a real user, but just an IIS object. Yet I can see one iis object, DefaultAppPool.
I am working with SBS 2011, and I’m trying to let it access an IIS application name, as though it was a security principal object. Can SBS set up a reference to this application name, so as to let it represent it as a security principal?
If not, what’s the process to give an application access to a web directory?
I want to work the steps out for SBS 2011, IIS 7.5.
ASKER
Sounds like we might be on the same track here...but not sure...
If by granular access, you mean my application name can read and write files in a directory, then yes.
As a matter of fact my application does create files, and I have coded it into the application. But I think what I'm asking for here might be a more general kind of access, and you allude to this when you say I can grant permissions to the application, by setting an account (system account) for my application to run under.
Ok, let's do it! I started trying to set the application that my application runs under. I found that there are two settings:
By right clicking the application in IIS, I can get to advanced settings. There is a field called "Physical Path Credentials Logon Type" which was set to cleartext. I set it to Network and hope that this just means it will use a secure protocol when supplying credentials. Then the physical path credentials field is set to application pass through. But to get to the real player, I have to go to a different area.
I go up to application pools, and then see the application name that my web site uses. Right clicking that name, and choosing advanced settings, gives a whole new set of options. That's where I found process model, and finally, I could select the "system account [my] pool runs under".
In this case, I set it to ApplicationPoolIdentity, which is the security principal I can use.
As I kind of figured this out, and really didn't know what to do, could you kind of review what I did and comment if you see something wrong?
If by granular access, you mean my application name can read and write files in a directory, then yes.
As a matter of fact my application does create files, and I have coded it into the application. But I think what I'm asking for here might be a more general kind of access, and you allude to this when you say I can grant permissions to the application, by setting an account (system account) for my application to run under.
Ok, let's do it! I started trying to set the application that my application runs under. I found that there are two settings:
By right clicking the application in IIS, I can get to advanced settings. There is a field called "Physical Path Credentials Logon Type" which was set to cleartext. I set it to Network and hope that this just means it will use a secure protocol when supplying credentials. Then the physical path credentials field is set to application pass through. But to get to the real player, I have to go to a different area.
I go up to application pools, and then see the application name that my web site uses. Right clicking that name, and choosing advanced settings, gives a whole new set of options. That's where I found process model, and finally, I could select the "system account [my] pool runs under".
In this case, I set it to ApplicationPoolIdentity, which is the security principal I can use.
As I kind of figured this out, and really didn't know what to do, could you kind of review what I did and comment if you see something wrong?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Yes, I created a custom application pool for this application. Do I understand correctly that either one has to run a custom application pool under one of the four options (ApplicationPoolIdentity, Network Service, Local System, or Local Service)? Or one can use an existing user account to run under (which introduces either a wasted CAL or the problem of changing passwords).
I would have thought that I could use the IIS identity of the custom application pool, as though it were a security principal. The most intuitive and directly controlled method, it seems to me, would be to create something like a user, based on the custom IIS application pool object, and use it to control the file permissions, as one does with other security principals like users. But I have not found a way to pull out the custom application pool identity, to act as an independant entity (with specific file permissions).
If this preferred method doesn't exist, and I have to run under one of those four options, do you think that ApplicationPoolIdentity will result in it using the defaultAppPool principal? Would you describe any impacts associated with those four options, that would argue for one or other being the preferred option?
I would have thought that I could use the IIS identity of the custom application pool, as though it were a security principal. The most intuitive and directly controlled method, it seems to me, would be to create something like a user, based on the custom IIS application pool object, and use it to control the file permissions, as one does with other security principals like users. But I have not found a way to pull out the custom application pool identity, to act as an independant entity (with specific file permissions).
If this preferred method doesn't exist, and I have to run under one of those four options, do you think that ApplicationPoolIdentity will result in it using the defaultAppPool principal? Would you describe any impacts associated with those four options, that would argue for one or other being the preferred option?
is there an anonymous IIS user operating here, typically IUSR_MACHINENAME
so if you edit security on the folder in question, I often start off giving all rights to everyone to check it can work, then start to nail down the security to the correct user.
so if you edit security on the folder in question, I often start off giving all rights to everyone to check it can work, then start to nail down the security to the correct user.
ASKER
let's move on...
-Cliff