Configure Application Pool Identity

Applies To: Windows Server 2003, Windows Server 2003 with SP1

The identity of an application pool is the name of the service account under which the application pools worker process runs. By default, application pools operate under the Network Service user account, which has low-level user access rights. You can configure application pools to run under the Local System user account, which is an account with more user rights than the Network Service or Local Service user accounts. However, be mindful that running an application pool under an account with increased user rights presents a high security risk.

Requirements

  • Mode: This feature of Internet Information Services (IIS) 6.0 is available only when IIS is running in worker process isolation mode.

  • Credentials: Membership in the Administrators group on the local computer.

  • Tools: Iis.msc.

Recommendation

As a security best practice, log on to your computer using an account that is not in the Administrators group, and then use the Run as command to run IIS Manager as an administrator. At the command prompt, type **runas /user:**administrative_accountname mmc %systemroot%\system32\inetsrv\iis.msc.

Procedures

By default, application pools operate under the Network Service user account, which has low-level user access rights. Consequently, this account provides better security against attackers or malicious users who might attempt to take over the computer on which the World Wide Web Publishing Service (WWW service) is running. The Local Service user account has low access rights as well, and is useful for situations that do not require access to resources on remote computers. You can, however, configure application pools to run under the Local System user account, which is an account with more user rights than the Network Service or Local Service user accounts.

To change the service account that an application pool runs under

  1. In IIS Manager, expand the local computer, and expand Application Pools.

  2. Right-click the application pool you want to configure, and then click Properties.

  3. Click the Identity tab, and click either Predefined or Configurable.

    Predefined refers to standard service accounts, such as Network Service (the default), which has low-level user access rights that can be used for access to resources on remote computers, Local Service, which has low-level access rights, and is used for situations that do not require access to resources on remote computers, or, Local System, which is an account with more user rights than the Network Service or Local Service account.

    Configurable refers to registered user names.

  4. If you click Predefined, click a predefined account in the list box.

  5. If you click Configurable, in the User name and Password boxes, type the user name and password of the account under which you want the worker process to operate.

  6. Click OK.