IIS 8.0 - ApplicationpoolIdentity account security permissions - iis-8

I am running my ASP.NET application in IIS 8.0 with the following settings,
* Anonymous Authentication (mapped to ApplicationPoolIdentity)
* Application Pool's Identity mapped to "ApplicationPoolIdentity"
My understanding is, it will create an account named "IIS Apppool\" and the worker process will run in that account.
My Question is,
* What permissions will the "IIS Apppool\" account have.
* My application is trying to write some logs outside the application folder, still the logs are getting written. Under what permissions these logs are getting written outside application\website's folder?
* Is this a security issue?
* How to restrict "IIS Apppool\" permissions only to application folder?
Thanks!!!

Answers are inline.
What permissions will the IIS Apppool\ account have.
The default permissions are described here.
More you can read here.
My application is trying to write some logs outside the application folder, still the logs are getting written. Under what permissions these logs are getting written outside application\website's folder?
This depends on a lot of factors. By default the application pool identity will be used. See this article to determine what identity will be used.
Is this a security issue?
No this is not a security issue.
How to restrict "IIS Apppool\" permissions only to application folder?
You actually need to do it the other way around. you need to restrict the access for IIS AppPool on other folders. One way would be to use Group Policy

Related

What identity does iis 8.5 run under?

Its on win server 2012 R2 and researching says its IUSR_MACHINENAME which doesn't even come up when I try to add that to the folder's security list.
The error i'm getting is Access to the path denied.
ASP.NET is not authorized to access the requested resource. Consider granting access rights to the resource to the ASP.NET request identity. ASP.NET has a base process identity (typically {MACHINE}\ASPNET on IIS 5 or Network Service on IIS 6 and IIS 7, and the configured application pool identity on IIS 7.5) that is used if the application is not impersonating. If the application is impersonating via , the identity will be the anonymous user (typically IUSR_MACHINENAME) or the authenticated request user.
About the access error you mentioned, you can try this:
Make specific folders being accessed read/write for users who need it,
this can be done by a unique user or a group of users within an
organization. ex: right click and security tab, give IIS_IUSRS setting
read and write permissions on the folder. Or another way is that set
.Net Framework V4 in "Application Pool" to "Integrated" instead of
"Classic".
You can refer to this thread for the similar issue: ASP.NET is not authorized to access the requested resource when accessing temp folder

C# ldap creation of local/ domain user throws Access Denied Error

New local/ domain user needs to be created using a Web based application.
I have used System.DirectoryServices and System.DirectoryServices.AccountManagement namespaces to attain it.
So if I run the application using Visual Studio (2012) everything goes smooth (User is getting added to the active directory!).
But if I host the website in IIS and try to do the same operation, it throws an error message saying Access is Denied.
I did a research and found out the reason also - It is happening because the APPLICATION POOL Identity is set to an user who has only USER Privileges.
But due to security reasons user with ADMINISTRATIVE Privilege cannot be given as the Application Pool Identity in the application.
So, is there any alternative way to by-pass this Application Pool Identity and allow the user to create local/ domain user successfully.
Waiting for valuable reply/ suggestions.

IIS7 Post/Put/Patch/Delete WCF oData - Authentication Failure 401.3

After migrating from IIS6 to IIS7, all sites using a WCF oData service would prompt for credentials when attempting to make Post/Put/Patch/Delete request. The user would be continually prompted for credentials until the cancelled the request. After cancelling the request, they would receive a 401.3 response from the server.
If a user is granted modify permission on the folder containing the *.svc file for the WCF oData service they are then authorized to make requests with those verbs. Asp.Net impersonation is not turned on.
The AppPool is running Integrated .Net 4 under a service account with modify permissions to the site's folders/files.
Update:
It seems this is as designed. GrantingServerName\Users modify access to the *.svc, does resolve the issue. Addendum: Specifically, it looks like Domain Users or Authenticated Users needs modify rights to the *.svc.
Final update: changed the wording to make the question more general/easy to find for others
This is by design. If you disable impersonation, then NTFS ACLs are used to secure the resource. I know it seems odd at first, but some thought will lead you to an understanding that it is a reasonable approach given the constraints of this particular configuration. This behaviour is documented on MSDN.

MS Active Directory and non-member authentication

I have a Java application that authenticates against Active Directory. When running the program on a machine that is part of the domain, the application is successfully able to authenticate. When executed on the server however, the authentication fails.
Is there a way from Active Directory to block LDAP authentication from non-domain machines? If there is, is it an "all or nothing" setting or can it be configured with certain exceptions?
You can try to enable the anonymous queries.See Here
PS: this wouldn't be good from a security point of view.

what user account does my IIS hosted wcf service run under?

What user account does my .Net WCF service run under when I am hosting it in IIS 7?
Is it the IUSR_machine account?
What is the easiest way for me to run under a different account? (Just for this service, I don't want other things hosted in my IIS to be affected).
To change just the single application, you'll need to create a new application pool and change the identity for that pool. That way, every other application will continue to run as-is, as the applications that use your new app pool will use that new identity.
To set the account used by anonymous users for a particular site, open the properties for that web site. Then, go to the Directory Security tab. Click the "edit" button in the authentication and access control box. In the window that appears you can specify the user account which will be used for anonymous access to the site. This will control the account used to access files, but may not apply to ISAPI applications (in which case a new application pool will be needed with its own permissions as already mentioned).