IIS 7 Guest/Annonymous Account Qustion

I have just migrated an IIS 6 server to IIS 7 using the web deploymet tool and all looks great except the guest account. On the IIS 6 server we created our own guest account with deny all but read for security. After the move this does not exist as a user on the new box so am wondering if setting the Annonymous account to "App Pool Identity" where the app pool identity is "NetworkService".

Will that still use the new builtin IUSR account and/or is the method above ok for security purposes?
LVL 5
rparsons1000Asked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Steve BinkCommented:
No, it will use the Network Service user.  You are certainly free to change it to an IUSR you create, but you will need to audit the security yourself.
0
rparsons1000Author Commented:
So there should be no security issues using NetworkService? If I remember, part of IIS 6 hardening was creating a different account for annonymous access instead of the builtin IUSR.
0
Steve BinkCommented:
The default permissions include only the wwwroot, ftproot, and system directories (like .NET, GAC, etc), and it only gets read and list permissions at that.  See here for a more complete list of Microsoft recommended permissions:

http://support.microsoft.com/?kbid=812614
0
Steve BinkCommented:
Wait...that was for IIS6.  But look here:  

http://learn.iis.net/page.aspx/624/application-pool-identities/
http://technet.microsoft.com/en-us/library/dd548356%28WS.10%29.aspx

You would want to use a separate account for each pool if you are concerned with possible tampering.

0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
rparsons1000Author Commented:
That's what I was looking for. Looks like the new "ApplicationPoolIdentity" is the answer. I feel much better now.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Microsoft IIS Web Server

From novice to tech pro — start learning today.