Lockedwindows file permissions - write access

Senior Member
2011/10/26 03:59:20 (permalink)

windows file permissions - write access

Im not sure how to understand the permissions and users the websites are running as/on. Each website gets its own app pool to isolate them, but it seams they are running all as "network service". This is a bit annoying when looking at the process list since its impossible to see what website is using the CPU if something is using alot/all.
Thats one thing - the other is permissions. I was reading a forum post that the pool is started as "network service" but its really running as the websites annonymous user. How is this setup?
I see my customers "fix" the missing write permisssions by allowing "network service" full access - this im sure is not the best idea. If I understand the other forumpost correct then the actual real best way to let the website write the folders and files is to give write/full permisssions to the website annonymous user, correct?
or what to do? whats the correct and safe way to give write/full permissions to the website and still make sure that its not possible to access/write other websites files?

2 Replies Related Threads

    Senior Member
    Re:windows file permissions - write access 2011/10/27 02:27:09 (permalink)
    I was testing what write permissions are needed to get a Umbraco CMS running under HC. I added full permissions for the websites annonymous user - no effect, the site did not work. Then I added full permissions to network service and then the site was working and able to write to the folders.
    so, still need to understand what the annonymous user is for since it seams it has no permissions effect and why/how its secure that you need to give network service full access?
    or even better - why this im finding is wrong and what the right way is :)
    HC Staff
    HC Staff
    Re:windows file permissions - write access 2011/10/27 07:09:03 (permalink)
    Well as I’ve seen it; its quite easy to handle it in IIS7 where you can set which anonymous user to be used for anonymous access. But for IIS6; there is no option provided in IIS6 settings to change it. 
    A certain question raise:-
    What exactly is the purpose of configuring IIS 6's application pools to run under user accounts different from "network service"? It doesn't seem to have any impact on ASP pages, as they are always executed under the user account which is actually accessing the page.
    If IIS is configured to allow anonymous access to a website using an account called "AccountA" and the application pool used by the website is configured to run using an account called "AccountB", an ASP page gets executed with AccountA's credentials; I have verified this with pages that access a SQL Server database using Windows integrated authentication, by only allowing
    AccountA to login to the database.
    So, what's the purpose of the application pool identity? What is actually done with this account's credentials? How does it impact security on a web server which is hosting several websites?
    ASP.NET content (and other types of content) are processed using the webapplication pool's identity (when impersonation is not enabled) Classic ASP files and files handled by the IIS static file handler alwayshave "impersonation" enabled, and will be accessed by either the configureAnonymous User account, or the account entered by the end user

    When user enable .net scripting language from panel (even if it map by default with new site creation) HC adds Network Service user permissions on the domain.com/www folder. HC set the application pool identity " Network Service " so basically this is the user which must have permissions on the www folder to execute ASP script pages.
    On the other hand website anonymous user we give it READ permissions so that website could be accessed by any user without prompting for authentication.
    We are planning to change new application pool creation mechanism in IIS7 where HC will set domain Owner as a identity in the application pool and this integration will be included in future releases.
    Jump to: