The identity of an application pool is the name of the service account under which the application pool's worker process runs. By default, application pools operate under the Network Service user account, which has low-level user rights. You can configure application pools to run under one of the built-in user accounts in the Windows Server® 2008 operating system. For example, you can specify the Local System user account, which has higher-level user rights than either the Network Service or Local Service built-in user accounts. However, remember that running an application pool under an account that has high-level user rights is a serious security risk.
You can also configure a custom account to serve as an application pool's identity. Any custom account you choose should have only the minimum rights that your application requires. A custom account is useful in the following situations:
•When you want to improve security and make it easier to trace security events to the corresponding application.
•When you are hosting Web sites for multiple customers on a single Web server. If you use the same process account for multiple customers, source code from one customer's application may be able to access source code from another customer's application. In this case, you should also configure a custom account for the anonymous user account.
•When an application requires rights or permissions in addition to the default permissions for an application pool. In this case, you can create an application pool and assign a custom identity to the new application pool.
User Interface
To use the UI
1.Open IIS Manager. For information about opening IIS Manager, see Open IIS Manager (IIS 7).
2.In the Connections pane, expand the server node and click Application Pools.
3.On the Application Pools page, select the application pool for which you want to specify an identity, and then click Advanced Settings in the Actions pane.
4.For the Identity property, click the ... button to open the Application Pool Identity dialog box.
5.If you want to use a built-in account, select the Built-in account option and select an account from the list.
6.If you want to use a custom identity, select the Custom account option and click Set to open the Set Credentials dialog box. Then type the custom account name in the User name text box, type a password in the Password text box, retype the password in the Confirm password text box, and then click OK.
7.Click OK to dismiss the Application Pool Identity dialog box.
Command Line
To specify the account identity for an application pool to use, use the following syntax:
appcmd set config /section:applicationPools /[name='string'].processModel.identityType:SpecificUser
NetworkService
LocalService
LocalSystem
The variable string is the name of the application pool that you want to configure. For example, to change the identity type from Network Service to Local Service for an application pool named Marketing, type the following at the command prompt, and then press ENTER:
appcmd set config /section:applicationPools /[name='Marketing'].processModel.identityType:LocalService
To configure an application pool to use a custom identity, use the following syntax:
appcmd set config /section:applicationPools /[name='string'].processModel.identityType:SpecificUser
NetworkService
LocalService
LocalSystem /[name='string'].processModel.userName:string /[name='string'].processModel.password:string
The variable name string is the name of the application pool that you want to configure, userName string is the user name of the account that you want the application pool to use, and password string is the password for the account. For example, to configure an application pool named Marketing to use a custom identity with a user name of Marketer and a password of M@dr1d$P, type the following at the command prompt, and then press ENTER:
appcmd set config /section:applicationPools /[name='Marketing'].processModel.identityType:SpecificUser /[name='Marketing'].processModel.userName:Marketer /[name='Marketing'].processModel.password: M@dr1d$P
For more information about Appcmd.exe, see Appcmd.exe (IIS 7).
You can also configure a custom account to serve as an application pool's identity. Any custom account you choose should have only the minimum rights that your application requires. A custom account is useful in the following situations:
•When you want to improve security and make it easier to trace security events to the corresponding application.
•When you are hosting Web sites for multiple customers on a single Web server. If you use the same process account for multiple customers, source code from one customer's application may be able to access source code from another customer's application. In this case, you should also configure a custom account for the anonymous user account.
•When an application requires rights or permissions in addition to the default permissions for an application pool. In this case, you can create an application pool and assign a custom identity to the new application pool.
User Interface
To use the UI
1.Open IIS Manager. For information about opening IIS Manager, see Open IIS Manager (IIS 7).
2.In the Connections pane, expand the server node and click Application Pools.
3.On the Application Pools page, select the application pool for which you want to specify an identity, and then click Advanced Settings in the Actions pane.
4.For the Identity property, click the ... button to open the Application Pool Identity dialog box.
5.If you want to use a built-in account, select the Built-in account option and select an account from the list.
6.If you want to use a custom identity, select the Custom account option and click Set to open the Set Credentials dialog box. Then type the custom account name in the User name text box, type a password in the Password text box, retype the password in the Confirm password text box, and then click OK.
7.Click OK to dismiss the Application Pool Identity dialog box.
Command Line
To specify the account identity for an application pool to use, use the following syntax:
appcmd set config /section:applicationPools /[name='string'].processModel.identityType:SpecificUser
NetworkService
LocalService
LocalSystem
The variable string is the name of the application pool that you want to configure. For example, to change the identity type from Network Service to Local Service for an application pool named Marketing, type the following at the command prompt, and then press ENTER:
appcmd set config /section:applicationPools /[name='Marketing'].processModel.identityType:LocalService
To configure an application pool to use a custom identity, use the following syntax:
appcmd set config /section:applicationPools /[name='string'].processModel.identityType:SpecificUser
NetworkService
LocalService
LocalSystem /[name='string'].processModel.userName:string /[name='string'].processModel.password:string
The variable name string is the name of the application pool that you want to configure, userName string is the user name of the account that you want the application pool to use, and password string is the password for the account. For example, to configure an application pool named Marketing to use a custom identity with a user name of Marketer and a password of M@dr1d$P, type the following at the command prompt, and then press ENTER:
appcmd set config /section:applicationPools /[name='Marketing'].processModel.identityType:SpecificUser /[name='Marketing'].processModel.userName:Marketer /[name='Marketing'].processModel.password: M@dr1d$P
For more information about Appcmd.exe, see Appcmd.exe (IIS 7).