IIS 6 - run with an application user

Shimon krokhmal — Tue, 29 Aug 2006 22:55:46 GMT

One of the most important rules about running an application (specially web application) is giving to the application only the needed permissions to run, and no more ! (running a web application with an administrator user is bad....).
Sure, it's very comfortable to give the application all the permissions that the system has, and not trying to solve permission related problems directly,
But this kind of an approach is a security-breach prone approach.
suppose, you wrote an application that has a minor security hole in it, and it allows the user to execute some unwanted script.
If it will run in a full permissions context, than it would be very easy to hijack the entire system, or even just do a system-wide damage.
But, if it will run only with the needed permission, then the attacker would have a hard time doing it.

So, what is the solution ?

First, create a new application pool that will run the wanted web application ( if you don't know how to do this , please refer to this article about application pool management ).

once, you have created the app pool, lets create the user :

enter to the computer management, click on the users folder and add a new user :
Set the user name and the password, and don't forget to check the "password never expires" option ( we don't want the application will stop working after some XX days...)
confirm the pass
now, this is a very important step, without this the application won't run.
right click on the fresh added user -> properties -> click on the "Member of" tab -> Add the user to the IIS_WPG group, so it can run iis applications
Set the new user to run the application pool that we created before.
Do iisreset.( or just restart the application pool)

thats it.
you did it, now your application runs under a limited user.
the iis process will run now with the given user and not the admin.

you just made another step to a more secured application.

Shimon krokhmal, a part of the Krokhmal family

IIS 6 Application pool management

Shimon krokhmal — Thu, 24 Aug 2006 19:31:07 GMT

Ever encountered on a situation that you have several Web Applications that works fine on the IIS 6 machine,
and then you add another application to join the party, and all the server crashes/ not responding / running very slow?

The answer is probably because the additional application that you added is a resource hog, and it doesn't leave the other web application any resources at all.

So, what can we do?
One of the solutions if code refectory or maybe an application redesign,
but it not always works or even possible (some exponential algorithms and those sort of stuff)

the other solution is to limit your application with the IIS 6 configuration.
How do we do it?

start the IIS manager by clicking : Start -> Run -> inetmgr
Expand the wanted server
Right Click on the "Application Pools" directory, new-> Application pool.
type the wanted application pool name in the appeared box and click OK
Go to the websites directory, right click on the wanted site, and choose properties
Select the new created Application pool from the combo box
Go back to the Application pool directory, right click on our AppPool -> properties

Go to the performance tab,
here we start all the fun stuff. :

* Check the "Enable CPU monitoring" option.

* Set the maximum wanted percentage of CPU usage
* Choose the wanted action that you want to perform in case the application exceeds the given limitations

thats it, you are set to go.
now the new Web application is set to run under her own application pool which is limited to his own limits.

have fun.

Shimon krokhmal, a part of the Krokhmal family

Shimon Krokhmal's blog - Microsoft|IIS 6

IIS 6 - run with an application user

IIS 6 Application pool management