Solved

IIS Authentication

Posted on 2013-01-24
5
230 Views
Last Modified: 2013-01-28
Hi,

In IIS 7 there is section on Authentication.  By default for Anonymous Authentication, the user identify is set to IUSR

Whilst its set to this I get SQL access errors.

If I change it to 'Application pool identity' the error goes away.

The application pool identity is set to 'Localsystem'

Presumably this is working because IIS is located on the same machine as the development environment and I'm logged on as the Administrator.

What should be the correct settings?
0
Comment
Question by:andyw27
  • 2
  • 2
5 Comments
 
LVL 33

Accepted Solution

by:
paulmacd earned 500 total points
ID: 38814351
What's correct depends on what you're doing, but I recommend leaving the IIS user as IUSR_whatever, and specifying a user and password in your connection string to SQL Server.  This gives you much more control and better security.
0
 
LVL 28

Expert Comment

by:becraig
ID: 38814352
The best practice would be having a specific account which is updated periodically for set as your app pool identiy.

This gives you the option of being able to add additional privileges as your app matures as well as minimizes the risk of any malicious activity on your system.

Create an account in your domain - limit logon ability etc- grant that acct permission to sql as well as to any other directories your app needs to access.

Getting your template right for this acct can be a bit tedious at first but it is your safest bet, built in accounts are too easily compromised for app pool identities.
0
 

Author Comment

by:andyw27
ID: 38814518
does not that create a risk that anybody can any user can open the web.config and and see password?
0
 
LVL 28

Expert Comment

by:becraig
ID: 38814534
If someone (risky) has access to your server's systemxx directory the app pool password would be the least of your worries :~)
0
 

Author Comment

by:andyw27
ID: 38814577
fair point
0

Featured Post

Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

Join & Write a Comment

Periodically we have to update or add SSL certificates for customers. Depending upon your hosting plan you may be responsible for the installation and/or key generation. In the wake of Heartbleed many sites were forced to re-key. We will concen…
If you don't have the right permissions set for your WordPress location in IIS, you won't be able to perform automatic updates. Here's how to fix the problem.
This video demonstrates how to create an example email signature rule for a department in a company using CodeTwo Exchange Rules. The signature will be inserted beneath users' latest emails in conversations and will be displayed in users' Sent Items…
You have products, that come in variants and want to set different prices for them? Watch this micro tutorial that describes how to configure prices for Magento super attributes. Assigning simple products to configurable: We assigned simple products…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now