IIS7 Permissions Overview

 

We have recently upgraded to IIS7 as a core web server and I need an overview in terms of the permissions. Previously, when needing to write to the file system I would have give the AppPool user (Network Service) access to the directory or file.

In IIS7 I see, as default, the AppPool user is set to ApplicationPoolIdentity . So when I check the task-manager, I see that a user account called 'WebSite.com' is running the IIS Process ('Website.com' being the name of the website in IIS)

However this user account doesn't exist if I try to use that to give permissions. So, how do I determine which user to give the permissions too?

Edit ==============================================================================

See below for the problem in screen shot. Our website (www.silverchip.co.uk) runs on the username SilverChip.co.uk. However when I add pemissions, this user doenst exist!

=================================See AppPool Image

ApplicationPoolIdentity is actually the best practice to use in IIS7. It is a dynamically created, unprivileged account. To add file system security for a particular application pool see IIS.net's "Application Pool Identities". The quick version:

If you application pool is named "DefaultAppPool" (just replace this text below if it is named differently)

  • Open Windows Explorer
  • Select a file or directory.
  • Right click the file and select "Properties"
  • Select the "Security" tab
  • Click the "Edit" and then "Add" button
  • Click the "Locations" button and make sure you select the local machine. (Not the Windows domain if the server belongs to one.)
  • Enter " IIS AppPoolDefaultAppPool " in the "Enter the object names to select:" text box. (Don't forget to change "DefaultAppPool" here to whatever you named your application pool.)
  • Click the "Check Names" button and click "OK".

    • Remember to use the server's local name, not the domain name, when resolving the name "IIS AppPoolDefaultAppPool" (just a reminder because this tripped me up for a bit): 在这里输入图像描述

    On Windows Server 2008(r2) you can't assign an application pool identity to a folder through Properties->Security. You can do it through an admin command prompt using the following though: 

    icacls "c:yourdirectory" /t /grant "IIS AppPoolDefaultAppPool":(R)
    链接地址: http://www.djcxy.com/p/44424.html

    上一篇: 如何为非服务帐户创建SQL Server登录名

    下一篇: IIS7权限概述