Identity on the App Pools

I have choosed to assign websites their own application pools and I dont understand, why the application pools still runs under the default "Network Service" account, instead of the each website¬s "Web Anonymous user" account?

I can not see the logic behind not doing it so, if there is any!

Application Pools can be used to keep one or more group of websites/application isolated from each other in order to prevent them to damage other applications. For example, if an application crashes, that won¬t affect applications in other pools.

Pool Identity is a way to better enforce isolation by assigning each pool different rights. Even if pool is started using NETWORK SERVICE credentials, each website will run using its own anonymous user¬s credentials. In Task Manager, you will see that each pool run as NETWORK SERVICE but this is normal because this user has rights to "start as service", which is required to spawn a new process from IIS. However, this doesn¬t relate to security which is then enforced at system level for each website.

Hope this helps.

thx for the extra info but I still can not see the logic behind not doing it so, if there is any?

If your pool run as a different user, it will be able to do different things like accessing remote resources, accessing parts of file systems and so on. This is expecially useful if you have a web garden where you can access different resources and logon to remote server.

This has the same logic for which every service on your Win2003 system can run as a different user (if policy allows that), even if most of them run as LOCAL SERVICE.

Best regards.

Nice explaination "Prince". :) "hgurol" if you still have this problem then please let me know.

Running the app pools of the websites with their assigned web anonymous accounts gives a lot more flexiblity to be able to manage the security of the sites; the more or the less. I really *still* dont find it logical to run all of them with the same ¬Network Service¬ account; will never do.

However, as you mentioned earlier; even you do run them with the generic ¬Network Service¬ account, I couldnt manage to write another websites wwwroot with using FSO. It seems to be have the necesarry permission on the paper but it doesnt work when I do test them. Honestly, it was a big suprise for me. That was my initial concern and yes my tests proved that you are right about it :)

Even all that said; I still find it weird, not to run the app pools with the site¬s web anonymous account. Anyway, I will keep my mouth shut about it, as long as it doesnt turns back to me as a security issue.

Thank you Bitland Prince, you have been a lot helpful :)

Glad to help when I can ;-)

i do have a concern here , i still feel  different appl pool  identities shall be  , in fact i guess  IIS 7.0 incorporates same now as well.
 
 
specially when one of asp.net sites has modify permissions on any of folders under web root for pool identity
 
If two sites work in the same application pool nothing would stop a script on one site to access files on the second one *provided* it knows the exact path to the modifying folder. This path could be guessed from reverse IP-to-domains resolving and general folders structure.  
  
 

funky123

i do have a concern here , i still feel  different appl pool  identities shall be  , in fact i guess  IIS 7.0 incorporates same now as well.
 
 
specially when one of asp.net sites has modify permissions on any of folders under web root for pool identity
 
If two sites work in the same application pool nothing would stop a script on one site to access files on the second one *provided* it knows the exact path to the modifying folder. This path could be guessed from reverse IP-to-domains resolving and general folders structure.  
  
 

Got the same problem here too, the identities are mixed up.

You can use separate Application pool creation with every new website, this could avoid conflict.