IIS: Application pools should be set to run as application pool identities

Applies To: Windows Server 2008 R2

This topic is intended to address a specific issue identified by a Best Practices Analyzer scan. You should apply the information in this topic only to computers that have had the Internet Information Services Best Practices Analyzer run against them and are experiencing the issue addressed by this topic. For more information about best practices and scans, see Best Practices Analyzer.

Operating System

Windows Server 2008 R2

Product/Feature

Internet Information Services

Severity

Error

Category

Security

Issue

Application pool '<ApplicationPoolName>' is set to run as an administrator, as local system, or to 'Act as part of the operating system'.

Impact

The application pool can execute high-privileged code, including potentially malicious code that can negatively affect your server.

Resolution

Set the application pool to run as the application pool identity.

For maximum security, application pools should run under a special built-in identity called ApplicationPoolIdentity. There are two types of Identity for the application pools: Built-in and Custom. The built-in accounts are ApplicationPoolIdentity, NetworkService, LocalService, and LocalSystem. The default (recommended) and most secure is ApplicationPoolIdentity. The following procedure describes how to set the application pool identity to ApplicationPoolIdentity. After you change the identity of the application pool, it is not necessary to restart the application pool.

To perform these procedures, you must have membership in Administrators, or you must have been delegated the appropriate authority.

Note

Please do not make the following changes on any of the Exchange-related Application Pools. The Exchange pools should always be run using the LocalSystem identity.

To set the application pool identity to ApplicationPoolIdentity

  1. Click Start, click Control Panel, and then click Administrative Tools.

  2. Right-click Internet Information Services (IIS) Manager and select Run as administrator.

  3. In the Connections pane on the left, expand the computer, then select the Application Pools folder underneath the computer name.

  4. In Features View, select the application pool. In the Actions pane, select Advanced Settings.

  5. In the Advanced Settings dialog, under Process Model, select Identity.

  6. Click the button to the right of the identity name.

  7. In the Application Pool Identity dialog, select Built-in account.

  8. Under Built-in account, select ApplicationPoolIdentity.

  9. Click OK to exit the Application Pool Identity dialog, then OK to exit the Advanced Settings dialog.