Isolating Web Sites and Applications

Applies To: Windows Server 2003, Windows Server 2003 with SP1

Although some of the Web servers that you deploy host only one Web site or application, you might also need to host multiple Web sites and applications on the same Web server. When a Web server hosts multiple Web sites and applications, each Web site and application requires a certain level of isolation.

For example, an Internet service provider (ISP) might host Web sites and applications for hundreds of organizations, each having a unique Web site. In this situation, the security requirements of each organization require a high degree of isolation between Web sites and applications.

Figure 3.4 illustrates the tasks involved in the process isolating your Web sites and applications.

Figure 3.4   Isolating Web Sites and Applications

Art Image

You need to prevent multiple Web sites and applications that are hosted on the same Web sever from adversely interacting with one another. When IIS 6.0 is running in worker process isolation mode, you can isolate Web sites and applications hosted on the same Web server by specifying that the Web sites and applications belong to separate application pools. An application pool is a grouping of Web sites or applications served by the same worker process. Application pools can be used to help prevent the Web sites and applications running in one application pool from accessing the content contained in another application pool.

For each application pool, you can specify an application pool identity, which is a user account that is assigned to an application pool. After specifying the application pool identity, you assign permissions (such as NTFS permissions or SQL database permissions) for each application pool identity. Because individual application pools can use different identities, you can selectively grant or deny resource access to an application pool. The Web sites and applications running in an application pool have the same user rights and resource permissions assigned to the application pool identity.

For more information about setting NTFS permissions for Web sites and applications, see Setting NTFS Permissions earlier in this section.

Note

Web sites and applications that are running in the same application pool can affect the availability of other Web sites and applications in the same application pool. To enhance the availability of your Web sites and applications, isolate unstable Web sites and applications in a separate application pool. For more information about improving the availability of your Web server through application pools see, Ensuring Application Availability.