Shulou(Shulou.com)06/02 Report--

The application pool (w3wp.exe worker process) runs as a user we specify, and IIS needs to use this user to access a variety of system and network resources, such as accessing disk resources, performing some system functions, accessing registers, and accessing network resources. The default user identity for IIS is the Network Service account, which has limited access to the Web server and the network, but has full access to the standard Web site. IIS 7.0provides three built-in accounts for users.

Built-in accounts include: Network Service, Local Service, Local System

Network Service account number

The default user for the application pool is the built-in Network Service account. The Network Service account has minimal access to local computers and network resources. When accessing a resource in another device in the same domain (or in the same trust domain), the server can authenticate using the network certificate of the Network Service account. The device can be a database, an UNC share, or any resource that can be accessed over the network. The certificate form of the Network Service account is DomainName\ ServerName$. For example, in the DomainA domain, if a server named WebServer1 runs a website under the Network Service account while also running a database named SQLServer1, then in order to run the database named SQLServer1 properly, we must grant the necessary SQL access to the DomainA\ WebServer1 $account.

The following permissions will be explicitly assigned to the Network Service account.

1. Adjust the memory quota for a process

2. Bypass roaming check

3. Create a global object

4. Generate security audit

5. Impersonate a customer after the authentication process

6. Replace a process level token

As a member of the Everyone group, the Network Service account also inherits the following permissions:

7. Access the computer from the network

Finally, as a member of the IIS_IUSRS group, the Network Service account inherits the following permissions:

8. Log in as a batch job

Local Service account number

The built-in Local Service account does not have the same access to network resources as the Network Service account, but has similar access to local resources as the Network Service account. In Windows Vista and Windows Server 2008, the Local Service account has the following local resource access permissions, which the Network Service account does not:

1. Modify the system time

2. Modify the system time zone

If you do not need to access network resources, then you can use the Local Service account.

Local System account number

The built-in Local System account has full access to the local system. But when we use the Local System account, we must be careful to avoid using this account as much as possible. When an unauthorized user browses a website on the server, or when the unauthorized user uploads his own content, if the application pool runs as a Local System account, the user can perform any action in the Web server.

Although Local System accounts may bring a lot of security risks, Local System accounts still have practical uses. If we need to locate the error in the Web website, at the same time, set the application pool identity to the Local System account identity, and test on this basis, and assume that the site error is caused by the permission problem of the application pool identity, then we can quickly find the root of the problem. Of course, there are other factors that need to be considered in this mispositioning. After successfully locating the error, we must set the application pool identity to a user with reasonable permissions.

Custom user account

Like IIS 6. 0, IIS 7. 0 also allows us to create a custom user. This user can be either a local Windows user or a domain user. As for what kind of users to create, it all depends on the application environment of IIS 7.0and our specific needs. If you create a domain user, you can access network resources as if you were using a UNC share, or as if you were accessing a database. At this point, we only need to give the application pool user access to network resources. There are several reasons why you need to create a custom user:

1. The existing built-in account can not meet our needs. For example, if the Local Service account permissions are insufficient and the Local System account permissions are too high, you can create an appropriate account based on the required permissions.

2. In order to protect the website, the website needs to be separated. In a shared environment, if there are multiple sites running in a Web server and these sites do not trust each other, then we can use a custom user approach to solve the problem. A shared Web host environment is the main reason for using custom users. Even in the same organization, it makes sense to separate different Web sites from each other, because if a Web site is compromised in a shared Web host environment, as long as we configure the system properly, applications in other Web sites and application pools will not be affected.

3. You need to use the application pool identity to access a network resource. If you need to access a network resource, you can create a custom domain user and assign the user identity of the application pool to this custom user. In this way, if a program running under the user identity of this application pool needs to access a network resource, the program will use this custom user identity to access the network resource.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.