IIS App Pools and File Permissions


When setting security permissions on files, you need to know which user to apply the permissions to. Depending on the version of IIS and Windows, there are different defaults for what user the website runs under.


IIS7 and App Pool Identities

The lastest new idea is running each app pool under a separate user account. To do this IIS creates fake user accounts which are hidden (so you need to type them in, you can't just select them).


They are in the form IIS AppPool\{apppool name}


If you have "Enable 32 bit apps" set (under app pool advanced settings) it will instead run under the "IUSR" identity, no matter what you choose under App Pool Identity. (This is not IUSR_machinename, just IUSR.) 


More details are here.


Previous versions

In IIS6 the default user is normally NETWORK SERVICE. You may need to change this to LOCALSYSTEM if you need to give it higher security privileges for some classic ASP COM objects. 


Under IIS5 the user to apply permissions for was ASPNET. Under IIS4 (and IIS5 for classic ASP) and all previous versions it used the "anonymous user" account. This was set in the permissions tab in IIS. The default was of the form IUSR_{machinename}.


More details about how these accounts interrelate is here.


Important - Disable Script Access

It is essential that whenever you allow write permissions, you disable script access. In IIS6 this was simply done by clicking Properties and unchecking "script access". In II7 this has been hidden away. It is now under Handler Mappings then Edit Feature Permissions


This must be done for any attachments folders, logs folders and the like. You click on the appropriate folder first and then click Handler Mappings.




Leave a Comment