Share via


Applications are denied access to resources

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1

After a clean install, IIS 6.0 runs in Worker Process Isolation Mode in IIS 6.0. Applications running in this mode use the Network Service identity, by default. Network Service is an account with few user rights and therefore provides better security by restricting access to resources on the Web server. If you migrate applications to IIS 6.0 while the server is in worker process isolation mode, and if your applications previously ran in-process (in Inetinfo.exe) as LocalSystem, the applications may fail to access resources because of the restrictions set forth by the Network Service identity. The LocalSystem account has access to almost all resources on the operating system, and therefore creates serious security implications. You should avoid using the LocalSystem account when possible. If it is absolutely necessary to use the LocalSystem account on an application, run that application in a new application pool in its own virtual directory so you can reduce the attack surface by isolating the application. As an alternative, and if your application needs permission to use the Trusted Computing Base (TCB), run the application as a configurable identity and assign the TCB permission to the configurable identity. This alternative, however, still presents a security risk because the TCB permission is very powerful.

Note

By default IIS 6.0 worker processes run under the low-privileged Network Service user account. This account does not have the appropriate permissions to write to the System event log, so application events, including CGI events, are written to the Application event log.

For more information, see Configuring Worker Process Identities and IIS and Built-in Accounts.