IIS uses both built-in accounts of IIS as well as built-in accounts of windows for the
security.
While deploying an Application in IIS we should be aware of rights of each account
and prevent providing high access privileges to the files or folders in order to avoid
security risks.
This built-in user account has the least privileges than Network Service and its access
level is limited to the local system and doesn't have network permissions.This is used
in case of scenario where access outside the server is not required.
Basically there are two types of Access Controls, NTFS permissions which is controlled
by the Operating System and Website permissions controlled by the IIS. NTFS permissions
can be used only for drives that are formatted in NTFS (New Technology File System) and
not for FAT (File Allocation Table) which is a legacy file system.
Various NTFS Permission levels are :
- Full Control - Users have full control over the file including taking ownership of it.
- Modify - Users can view,modify file and file properties, delete and add files to the
directory. Users cannot take ownership of the file or change file permissions.
- Read and execute - Users can view and run executable files including scripts.
- Read - Users can view files and file properties.
- Write - Users can write to a file.
- List folder contents - Users can view the list of files inside the folder.
While assigning permission we should take care that write NTFS permission is given
only for the file that needs to be modified by the Application on run time and it should
not be given for remaining files or folders inorder to avoid unnecessary data uploading
to the web server.
In case of FTP sites , credentials are passed over the network and are not encrypted or
encoded and hence are vulnerable to malicious users. In order to make it more secure we
can use it over an encrypted channel like VPN secured with PPTP (Point To Point Tunneling Protocol) or Internet Protocol Security (IPSec).
security.
While deploying an Application in IIS we should be aware of rights of each account
and prevent providing high access privileges to the files or folders in order to avoid
security risks.
IIS built in users and group accounts:
IUSR :
IUSR is the default built-in account (in IIS 7 and above) that is used by the IIS when
the anonymous access is enabled. Any unauthenticated visitor (basically normal visitors)
uses this Internet User account.This account must not be given high or privileged
permissions for critical files of the Website or Application.
the anonymous access is enabled. Any unauthenticated visitor (basically normal visitors)
uses this Internet User account.This account must not be given high or privileged
permissions for critical files of the Website or Application.
In earlier versions of IIS, IUSR_MachineName was used for anonymous authentication
requests. IUSR account does not need a password and hence user does not have to worry
about password expiration. Before IIS7 each account and group has unique SID or Security
Identifier and is different for the different computer and hence cannot use 'xcopy/o'
requests. IUSR account does not need a password and hence user does not have to worry
about password expiration. Before IIS7 each account and group has unique SID or Security
Identifier and is different for the different computer and hence cannot use 'xcopy/o'
to copy files along with their Access Control List and Ownership information to different
computer. This problem is solved in IIS 7 since SIDs of each built-in user or group account
will be the same on all systems that is using Windows Server 2008 or above.
computer. This problem is solved in IIS 7 since SIDs of each built-in user or group account
will be the same on all systems that is using Windows Server 2008 or above.
IIS_IUSRS :
IIS_IUSRS is a built-in group from IIS 7 which has the minimum set of user rights
and permissions required to run an Application. It facilitates the convenient way that
if any user account is added to this group, it can be used as an Application Pool identity
without having to manually assign user rights and permissions to that account. In
previous versions of IIS, this group was called IIS_WPG (IIS Worker Process Group).
If any permission has to be given to any file resource for all accounts that run ASP.NET
Applications, we can give access of that resource to IIS_IUSRS in general instead of
and permissions required to run an Application. It facilitates the convenient way that
if any user account is added to this group, it can be used as an Application Pool identity
without having to manually assign user rights and permissions to that account. In
previous versions of IIS, this group was called IIS_WPG (IIS Worker Process Group).
If any permission has to be given to any file resource for all accounts that run ASP.NET
Applications, we can give access of that resource to IIS_IUSRS in general instead of
specifically assigning separately.
IWAM_MachineName (of IIS 6 and below) :
In IIS 6 there was IWAM_MachineName (Internet Server Web Application Manager)
account which is used for starting out of process Applications like COM or DCOM
in IIS 5 isolation mode. Out of process Applications are applications that runs in a
different process space compared to the one using it where as In- process Applications
runs in the same process space as the one using it. For In-process, local method call is
used for communication but for out of process, remote procedure calls are required for communication. Examples of out of process are Java's RMI and Microsoft's COM
component.
account which is used for starting out of process Applications like COM or DCOM
in IIS 5 isolation mode. Out of process Applications are applications that runs in a
different process space compared to the one using it where as In- process Applications
runs in the same process space as the one using it. For In-process, local method call is
used for communication but for out of process, remote procedure calls are required for communication. Examples of out of process are Java's RMI and Microsoft's COM
component.
IUSR and IWAM should only be given permissions to what they need and should
not be given permissions to access anything critical.
From IIS 7, IUSR will handle the functionalities of IUSR_MachineName and
IWAM_MachineName.
In short IUSRS is the replacement of IUSR_MachineName and IIS_IUSRS is the
replacement of IIS_WPG in IIS 7.
replacement of IIS_WPG in IIS 7.
ASPNET (of IIS 6 and below) :
In earlier versions of IIS there is ASPNET user account which is used for running the
ASP.NET worker process in IIS 5.0 isolation mode.This account doesn't exist from
IIS 7 onwards.
ASP.NET worker process in IIS 5.0 isolation mode.This account doesn't exist from
IIS 7 onwards.
LocalSystem :
This account has the highest privileges of Administrator and if any worker process
identity runs under this account, it will have full Administrative privileges of the
entire system and hence if given it can be a security threat. Therefore it should be given
only in unavoidable circumstances.
identity runs under this account, it will have full Administrative privileges of the
entire system and hence if given it can be a security threat. Therefore it should be given
only in unavoidable circumstances.
Network Service :
This account has less access privileges than LocalSystem but it can access network
resources and remote databases using the local computer's credentials or Windows
Authentication. In IIS 6 this is the default identity used by the ApplicationPool.
resources and remote databases using the local computer's credentials or Windows
Authentication. In IIS 6 this is the default identity used by the ApplicationPool.
LocalService:
This built-in user account has the least privileges than Network Service and its access
level is limited to the local system and doesn't have network permissions.This is used
in case of scenario where access outside the server is not required.
NTFS permissions :
Basically there are two types of Access Controls, NTFS permissions which is controlled
by the Operating System and Website permissions controlled by the IIS. NTFS permissions
can be used only for drives that are formatted in NTFS (New Technology File System) and
not for FAT (File Allocation Table) which is a legacy file system.
Various NTFS Permission levels are :
- Full Control - Users have full control over the file including taking ownership of it.
- Modify - Users can view,modify file and file properties, delete and add files to the
directory. Users cannot take ownership of the file or change file permissions.
- Read and execute - Users can view and run executable files including scripts.
- Read - Users can view files and file properties.
- Write - Users can write to a file.
- List folder contents - Users can view the list of files inside the folder.
While assigning permission we should take care that write NTFS permission is given
only for the file that needs to be modified by the Application on run time and it should
not be given for remaining files or folders inorder to avoid unnecessary data uploading
to the web server.
How to secure FTP Sites?
In case of FTP sites , credentials are passed over the network and are not encrypted or
encoded and hence are vulnerable to malicious users. In order to make it more secure we
can use it over an encrypted channel like VPN secured with PPTP (Point To Point Tunneling Protocol) or Internet Protocol Security (IPSec).
