Export (0) Print
Expand All

Configuring Web Sites and Applications for Isolation

Updated: August 22, 2005

Applies To: Windows Server 2003, Windows Server 2003 with SP1

Complete the following steps to identify when Web sites and applications require isolation for security reasons:

noteNote
Running worker processes under different identities can cause application compatibility problems, especially for Web sites that use user authentication.

  1. Create a list of the Web sites and applications to be hosted on the Web server.

  2. Group the Web sites and applications by organization (or business unit within an organization if all of the Web sites and applications hosted on the Web server are owned by one organization).

  3. Subdivide each group created in the previous step into smaller groups of Web sites and applications that require the same user rights and resource access.

  4. For each group created in the previous step, create a new application pool to be used by the Web sites and applications within the pool.

    For information about how to create application pools, see Isolate Applications in Worker Process Isolation Mode.

  5. Assign the Web sites and applications within each group to the corresponding application pool.

    For information about how to assign the Web site to the new application, see Isolate Applications in Worker Process Isolation Mode.

  6. For each application pool, create a service account to be used as the application pool identity.

    In IIS, the default identity for newly created application pools is NetworkService. To ensure that you can properly assign permissions to resources, create a new service account. A service account is a user account that is created explicitly for the purpose of providing a security context for services running on Windows Server 2003.

    In addition, you must add the service account to the IIS_WPG group to provide the appropriate access to the IIS metabase and content. The IIS_WPG group is granted the appropriate user rights and resource permissions to allow most Web sites and applications to run properly.

    For more information about how to create a service account to be used as an identity for an application pool and how to add the account to the IIS_WPG group, see Create a Service Account.

  7. Assign any additional user rights to the application pool identities.

    User rights authorize users to perform specific actions, such as logging on to a system interactively or backing up files and directories. User rights are different from permissions because user rights apply to user accounts, whereas permissions are attached to objects.

    The user rights granted to the IIS_WPG group are sufficient for most Web sites applications. When the user rights granted to the IIS_WPG group are insufficient, grant only the user rights to the user account, which is used as the identify for the application pool, that are necessary to ensure the appropriate operation and behavior of the application. Ensure that any nonessential user rights are removed to prevent the Web sites and applications from having elevated user rights.

    For more information about how to grant the appropriate user rights for an application pool identity, see Grant User Rights to a Service Account.

  8. Assign the service account identity to the corresponding application pool.

    For more information about how to assign the identity to the corresponding application pool, see Configure Application Pool Identity.

  9. Assign the appropriate resource permissions, such as NTFS or SQL database permissions, to the application pool identities.

    Assign only the NTFS file and folder permissions that are necessary to ensure the appropriate operation and behavior of the application. By default, grant only Read permissions to the application pool identity to insure that the Web sites and applications in the application pool cannot modify the Web site content or other files on the Web server. If the applications require Write access to any files and folders, consult the application developers to determine if the application can be modified so that Write access is not required.

Was this page helpful?
(1500 characters remaining)
Thank you for your feedback

Community Additions

ADD
Show:
© 2014 Microsoft