IIS 6.0 F1: Application Pools Properties - Identity Tab

Applies To: Windows Server 2008 R2

The identity of an application pool is the name of the account under which an application pool's worker process runs. By default, application pools operate under the NetworkService account, which has the least user rights that are required to run Web applications. This account provides the most security against attackers who might attempt to take over the computer on which the World Wide Web Publishing Service (WWW service) is running. You can configure application pools to run as LocalSystem, which is an account with more assigned user rights than the NetworkService account; however, running an application pool under an account with more user rights assigned presents a more serious security risk.

For example, suppose that an Internet service provider (ISP) wants to allow customers to upload Common Gateway Interface (CGI) applications and then add them to an application pool. Running the CGI-enabled applications in a separate application pool under the NetworkService account—with its minimal user rights—prevents these applications from being used to take over the server.

Predefined

Click any of the predefined security accounts in the list box.

Configurable

Click to configure your own application pool security by specifying the identity with a user name and the associated password. If you use a custom user account, that account must be part of the IIS_WPG group, or the application pool will fail.

User name

Type the alias of the user permitted to access this data source and table.

Password

Type the password that is associated with the user name specified above.

Browse

Click to view a list of available Windows user accounts on this server.

Note

In previous versions of IIS, worker processes ran under the LocalSystem account. Because the LocalSystem account has access to almost all resources, this can have serious security implications. For better security, the IIS 6.O default is to run worker processes under the newly built-in NetworkService account. IIS 6.0 also allows you to configure the account on which worker processes run.

To learn more about the NetworkService account and the LocalSystem account in IIS, see the IIS 6.0 online documentation on the Microsoft Windows Server TechCenter.