I was developing an application where user can upload CSV files to a certain directory on the server. This application works great in my development machine which uses IIS 6, but I had some difficulties in the production server. ASP.NET keeps telling me that the access to folder “upload folder” is denied. I’ve figured this out in IIS 6.0 by adding permission to the upload folder for IUSR_MACHINENAME or IIS_WPG and give read and write permission to both user. But, this solution does not work for IIS 7. After looking for several info in the internet, I found that IIS 7 uses different security feature regarding the application pool identity.
IIS 7 introduces a new security feature called Application Pool Identities. Application Pool Identities allow you to run Application Pools under a unique account without having to create and manage domain or local accounts. The name of the Application Pool account corresponds to the name of the Application Pool. The image below shows an IIS worker process (W3wp.exe) running as the DefaultAppPool identity
Application Pool Identity Accounts
Worker processes in IIS 6.0 and IIS 7 run as NETWORKSERVICE by default. NETWORKSERVICE is a built-in Windows identity. It doesn't require a password and has only user privileges; that is, it is relatively low-privileged. Running as a low-privileged account is a good security practice because then a software bug can't be used by a malicious user to take over the whole system.
However, a problem arose over time as more and more Windows system services started to run as NETWORKSERVICE. This is because services running as NETWORKSERVICE can tamper with other services that run under the same identity. Because IIS worker processes run third-party code by default (Classic ASP, ASP.NET, PHP code), it was time to isolate IIS worker processes from other Windows system services and run IIS worker processes under unique identities. The Windows operating system provides a feature called "Virtual Accounts" that allows IIS to create unique identities for each of its Application Pools.
Configuring IIS Application Pool Identities
If you are running IIS 7.5 on Windows Server 2008 R2, you don't have to do anything to use the new identity. For every Application Pool you create, the IIS Admin Process (WAS) will create a virtual account with the name of the new Application Pool and run the Application Pool's worker processes under this account.
If you are running Windows Server 2008, you have to change the IdentityType property of the Application Pools you create to "AppPoolIdentity". Here is how:
- Open the IIS Management Console (INETMGR.MSC).
- Open the Application Pools node underneath the machine node. Select the Application Pool you want to change to run under an automatically generated Application Pool Identity.
- Right click the Application Pool and select "Advanced Settings..."
To do the same step by using the command-line, you can call the appcmd command-line tool the following way:
%windir%\system32\inetsrv\appcmd.exe set AppPool <your AppPool> -processModel.identityType:ApplicationPoolIdentity
Securing Resources
Whenever a new Application Pool is created, the IIS management process creates a security identifier (SID) that represents the name of the Application Pool itself. For example, if you create an Application Pool with the name "MyNewAppPool," a security identifier with the name "MyNewAppPool" is created in the Windows Security system. From this point on, resources can be secured by using this identity. However, the identity is not a real user account; it will not show up as a user in the Windows User Management Console. The “Access is denied for folder” error is caused by not adding the virtual account a write access to the folder. This error can be fixed by adding the application pool virtual account to the file's Access Control List (ACL) and give the write permission
- Open Windows Explorer
- Select a file or directory.
- Right click the file and select "Properties"
- Select the "Security" tab
- Click the "Edit" and then "Add" button
- Click the "Locations" button and make sure you select your machine.
- Enter "IIS AppPool\DefaultAppPool" in the "Enter the object names to select:" text box.
- Click the "Check Names" button and click "OK".
- Give the write permission to the virtual permission
By doing this, the file or directory above can me modified by the application pool identity “DefaultAppPool”. Hope this post helps.