pools and permissions

In terms of IIS, what exactly is (in low tech management freindly terms) a web app "pool"..... is this just a collection of sites/apps? And why do you potentially have 1 pool or many pools on the same server? What types of sites/apps would you typically pool together?

Also - what are the risks of specific pools running under the security context of the local SYSTEM and/or a local admin account? Is this considered bad practice. How can you determine what permissions the pools need to run under, or is SYSTEM/LA permissions often genuinely required?

where in IIS can you identify what permissions a pool is running under?
LVL 4
pma111Asked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Dan McFaddenSystems EngineerCommented:
Since you are on a IIS question rampage ;-) it might be best to point you to IIS website.  You will find answers to most, if not all, of your fundamental IIS questions.

link:  http://www.iis.net/learn/get-started/introduction-to-iis

But to quickly answer you question:

An AppPool is nothing more than a process and supports the operation of the web site(s) defined to run with in.  It is sort of a isolated sand box for your sites functionality.  There is a direct relationship between an AppPool and a running process in the OS.  AppPools can be found using Task Manager, the processes are all named w3wp.exe.

Best practice is to have 1 AppPool per web site.  This way if a web site crashes, it only affects that web site.  If 2 or more web sites share an AppPool, if 1 site crashes the AppPool, all sites go down.

Running an AppPool as the SYSTEM account is a massive security risk.  You are essentially giving that AppPool admin access to the server.  Bad practice, never do this.

Best thing to do is leave the defaults in place when building web sites and AppPools.  The AppPool with run with a minimal permission profile (for Server 2012+ & IIS8+) which usually allows typical content websites to function normally.

In IIS Manager, expand the server object and select Application Pools.  In the right hand panel you will see a list of AppPools configured for IIS and their status.

Dan

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Microsoft IIS Web Server

From novice to tech pro — start learning today.