• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 744
  • Last Modified:

IIS 7 Guest/Annonymous Account Qustion

I have just migrated an IIS 6 server to IIS 7 using the web deploymet tool and all looks great except the guest account. On the IIS 6 server we created our own guest account with deny all but read for security. After the move this does not exist as a user on the new box so am wondering if setting the Annonymous account to "App Pool Identity" where the app pool identity is "NetworkService".

Will that still use the new builtin IUSR account and/or is the method above ok for security purposes?
0
rparsons1000
Asked:
rparsons1000
  • 3
  • 2
1 Solution
 
Steve BinkCommented:
No, it will use the Network Service user.  You are certainly free to change it to an IUSR you create, but you will need to audit the security yourself.
0
 
rparsons1000Author Commented:
So there should be no security issues using NetworkService? If I remember, part of IIS 6 hardening was creating a different account for annonymous access instead of the builtin IUSR.
0
 
Steve BinkCommented:
The default permissions include only the wwwroot, ftproot, and system directories (like .NET, GAC, etc), and it only gets read and list permissions at that.  See here for a more complete list of Microsoft recommended permissions:

http://support.microsoft.com/?kbid=812614
0
 
Steve BinkCommented:
Wait...that was for IIS6.  But look here:  

http://learn.iis.net/page.aspx/624/application-pool-identities/
http://technet.microsoft.com/en-us/library/dd548356%28WS.10%29.aspx

You would want to use a separate account for each pool if you are concerned with possible tampering.

0
 
rparsons1000Author Commented:
That's what I was looking for. Looks like the new "ApplicationPoolIdentity" is the answer. I feel much better now.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

  • 3
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now