December 22, 2024

Logging with Windows 2008 and IIS 7 Security

Often we will create a domain account to run web applications under in the event the web site needs access to external resources.  If this is overkill for an application, the fact IIS 7 runs each app pool under a unique ID can be helpful.

image

In a simple example, suppose an ASP.NET applications wants to log exceptions to a text file in a folder outside of the app’s domain.  By default this will not be allowed.  Nor is it possible do use the Windows folder security dialog to add the desired settings for the app pool’s identity.

However, a short command-line task can add the IIS app pool account to a given folder’s permitted users list:

icacls C:\some_directory /grant "IIS APPPOOL\some_app_pool":(OI)(CI)(RX)

After executing this command on the server, you can update the app pool’s identity with the proper permissions in the usual manner.

Resources:

http://learn.iis.net/page.aspx/624/application-pool-identities/

http://serverfault.com/questions/81165/how-to-assign-permissions-to-applicationpoolidentity-account

http://serverfault.com/questions/100516/iis-7-application-pool-identity-permissions

Leave a Reply