IIS and Built-in Accounts

Applies To: Windows Server 2003, Windows Server 2003 with SP1

IIS uses a number of built-in Windows accounts, as well as accounts that are specific to IIS. For security reasons, you should be aware of the different accounts and their default user privileges. It can be a security risk to change the identity of a worker process so that it runs as an account with a high level of access, such as the LocalSystem user account.

LocalSystem

The built-in LocalSystem user account has a high level of access privileges; it is part of the Administrators group. If a worker process identity runs as the LocalSystem user account, that worker process has full access to the entire system. When IIS 6.0 is running in IIS 5.0 isolation mode, this is the default user account for worker process identities. LocalSystem has one default user right, Full access.

Network Service

The built-in Network Service user account has fewer access privileges on the system than the LocalSystem user account, but the Network Service user account is still able to interact throughout the network with the credentials of the computer account. For IIS 6.0, it is recommended that the worker process identity that is defined for application pools run as the Network Service user account, which is the default setting. The following table shows the default user privileges for the Network Service account, along with how each privilege is derived.

Privilege Source

Replace a process-level token (SeAssignPrimaryTokenPrivilege)

Explicit assignment

Adjust memory quotas for a process (SeIncreaseQuotaPrivilege)

Explicit assignment

Generate security audits (SeAuditPrivilege)

Explicit assignment

Bypass traverse checking (SeChangeNotifyPrivilege)

Through membership in the Everyone group

  • Access this computer from the network (SeNetworkLogonRight)

Through membership in the Everyone group

  • Log on as a batch job (SeBatchLogonRight)

Through membership in the IIS_WPG group

  • Log on as a service (SeInteractiveLogonRight)

Explicit assignment

  • Impersonate a client after authentication

Through membership in the IIS_WPG group

Local Service

The built-in Local Service user account has fewer access privileges on the computer than the Network Service user account, and those user privileges are limited to the local computer. Use the Local Service user account if the worker process does not require access outside the server on which it is running. The following table shows the default user privileges for the Local Service account, along with how each privilege is derived.

Privilege Source

Replace a process-level token (SeAssignPrimaryTokenPrivilege)

Explicit assignment

Adjust memory quotas for a process (SeIncreaseQuotaPrivilege)

Explicit assignment

Generate security audits (SeAuditPrivilege)

Explicit assignment

Bypass traverse checking (SeChangeNotifyPrivilege)

Through membership in the Everyone group

  • Access this computer from the network (SeNetworkLogonRight)

Through membership in the Everyone group

  • Log on as a batch job (SeBatchLogonRight)

Explicit assignment

IIS_WPG

The IIS IIS_WPG group account has the minimum permissions and user privileges that are necessary to start and run a worker process on a Web server. Application pool identities must be members of this group so the application pool can register with Http.sys. The following table shows the default user privileges for the IIS_WPG account, along with how each privilege is derived.

Privilege Source

Access this computer from the network (SeNetworkLogonRight)

Through membership in the Everyone group

Bypass traverse checking (SeChangeNotifyPrivilege)

Through membership in the Everyone group

Impersonate a client after authentication (SeImpersonatePrivilege)

Explicit assignment

  • Log on as a batch job (SeBatchLogonRight)

Explicit assignment

IUSR_ComputerName

The IIS IUSR_ComputerName user account is for anonymous access to IIS. By default, when a user accesses a Web site that uses Anonymous authentication, that user is mapped to the IUSR_ComputerName account. The following table shows the default user privileges for the IUSR_ComputerName account, along with how each privilege is derived.

Privilege Source

Access this computer from the network (SeNetworkLogonRight)

Explicit assignment

  • Allow log on locally (SeInteractiveLogonRight)

Explicit assignment

Bypass traverse checking (SeChangeNotifyPrivilege)

Through membership in the Everyone group

  • Log on as a batch job (SeBatchLogonRight)

Explicit assignment

IWAM_ComputerName

The IIS IWAM_ComputerName user account is for starting out-of-process applications in IIS 5.0 isolation mode. The following table shows the default user privileges for the IWAM_ComputerName account, along with how each privilege is derived.

Privilege Source

Access this computer from the network (SeNetworkLogonRight)

Explicit assignment

  • Adjust memory quotas for a process (SeIncreaseQuotaPrivilege)

Explicit assignment

Bypass traverse checking (SeChangeNotifyPrivilege)

Through membership in the Everyone group

  • Log on as a batch job (SeBatchLogonRight)

Explicit assignment

  • Replace a process-level token (SeAssignPrimaryTokenPrivilege)

Explicit assignment

ASPNET

The built-in ASPNET user account is for running the ASP.NET worker process in IIS 5.0 isolation mode. The following table shows the default user privileges for the ASPNET account, along with how each privilege is derived.

Privilege Source

Access this computer from the network (SeNetworkLogonRight)

Explicit assignment

  • Allow logon locally (SeInteractiveLogonRight)

Through membership in the Users group

Bypass traverse checking (SeChangeNotifyPrivilege)

Through membership in the Users group

  • Deny logon locally (SeDenyInteractiveLogonRight)

Explicit assignment

  • Log on as a batch job (SeBatchLogonRight)

Explicit assignment

  • Log on as a service (SeInteractiveLogonRight)

Explicit assignment