IIS AppPoolIdentity and file system write access permissions

[Origin]: https://stackoverflow.com/questions/5437723/iis-apppoolidentity-and-file-system-write-access-permissions

Here’s an issue with IIS 7.5 and ASP.NET that I’ve been researching and getting nowhere with. Any help would be greatly appreciated.

My question is: using ASP.NET in IIS 7.5, how does IIS and/or the operating system allow the web application to write to a folder like C:\dump when running under full trust? How is it that I don’t have to explicitly add write access for the application pool user (in this case ApplicationPoolIdentity)?

This much I know:

  • In IIS 7.5, the default Identity for an Application Pool is ApplicationPoolIdentity.
  • ApplicationPoolIdentity represents a Windows user account called “IIS APPPOOL\AppPoolName”, which is created when the Application Pool is created, where AppPoolName is the name of the Application Pool.
  • The “IIS APPPOOL\AppPoolName” user is by default a member of the IIS_IUSRS group.
  • If you are running under Full Trust, your web application can write to many areas of the file system (excluding folders like C:\UsersC:\Windows, etc). For example, your application will have access to write to some folders, like, C:\dump.
  • By default, the IIS_IUSRS group is not given read or write access to C:\dump (at least not access that is visible through the “Security” tab in Windows Explorer).
  • If you deny write access to IIS_IUSRS, you will get a SecurityException when trying to write to the folder (as expected).

So, taking all of that into account, how is write access granted to the “IIS APPPOOL\AppPoolName” user? The w3wp.exe process runs as this user, so what allows this user to write to a folder it doesn’t seem to have explicit access to?

Please note that I understand this was probably done for the sake of convenience, since it would be a pain to grant a user access to every folder it needs to write to if you are running under Full Trust. If you want to limit this access, you can always run the application under Medium Trust. I am interested in finding out about the way the operating system and/or IIS allows these writes to take place, even though there appears to be no explicit file system access granted.

The ApplicationPoolIdentity is assigned membership of the Users group as well as the IIS_IUSRS group. On first glance this may look somewhat worrying, however the Users group has somewhat limited NTFS rights.

For example, if you try and create a folder in the C:\Windows folder then you’ll find that you can’t. The ApplicationPoolIdentity still needs to be able to read files from the windows system folders (otherwise how else would the worker process be able to dynamically load essential DLL’s).

With regard to your observations about being able to write to your c:\dump folder. If you take a look at the permissions in the Advanced Security Settings, you’ll see the following:

enter image description here

See that Special permission being inherited from c:\:

enter image description here

That’s the reason your site’s ApplicationPoolIdentity can read and write to that folder. That right is being inherited from the c:\ drive.

In a shared environment where you possibly have several hundred sites, each with their own application pool and Application Pool Identity, you would store the site folders in a folder or volume that has had the Users group removed and the permissions set such that only Administrators and the SYSTEM account have access (with inheritance).

You would then individually assign the requisite permissions each IIS AppPool\[name] requires on it’s site root folder.

You should also ensure that any folders you create where you store potentially sensitive files or data have the Users group removed. You should also make sure that any applications that you install don’t store sensitive data in their c:\program files\[app name] folders and that they use the user profile folders instead.

So yes, on first glance it looks like the ApplicationPoolIdentity has more rights than it should, but it actually has no more rights than it’s group membership dictates.

An ApplicationPoolIdentity‘s group membership can be examined using the SysInternals Process Explorer tool. Find the worker process that is running with the Application Pool Identity you’re interested in (you will have to add the User Name column to the list of columns to display:

enter image description here

For example, I have a pool here named 900300 which has an Application Pool Identity of IIS APPPOOL\900300. Right clicking on properties for the process and selecting the Security tab we see:

enter image description here

As we can see IIS APPPOOL\900300 is a member of the Users group.

  1. Right click on folder.
  2. Click Properties
  3. Click Security Tab. You will see something like this:

enter image description here

  1. Click “Edit…” button in above screen. You will see something like this:

enter image description here

  1. Click “Add…” button in above screen. You will see something like this:

enter image description here

  1. Click “Locations…” button in above screen. You will see something like this. Now, go to the very of top of this tree structure and select your computer name, then click OK.

enter image description here

  1. Now type “iis apppool\your_apppool_name” and click “Check Names” button. If the apppool exists, you will see your apppool name in the textbox with underline in it. Click OK button.

enter image description here

  1. Check/uncheck whatever access you need to grant to the account
  2. Click Apply button and then OK.
Advertisements

IIS – can’t access page by ip address instead of localhost

[Origin]: https://stackoverflow.com/questions/14029629/iis-cant-access-page-by-ip-address-instead-of-localhost

I’m trying to publish ClickOnce application and test it locally. I want to provide installation link so I need to update location with an IP address unless I won’t be able to install it (because localhost is translated into computer name and it’s not accessible). The problem is, that on my IIS I can access my page only by using localhost in the address.

http://localhost:9995/publish/Publish.htm <-- working 
http://192.168.1.104:9995/publish/Publish.htm <-- not working (my IP address)
http://my_pc_name:9995/publish/Publish.htm <-- not working
http://127.0.0.1:9995/publish/Publish.htm <-- even that is not working

I’m using Windows 7 and Visual Studio 2012 with IIS Express 8.0, but I tried the same on Visual Studio 2010 and it’s ASP.NET server and still failed. I have my firewall turned off.

Do you have any ideas what can be wrong?

‘The format of the specified network name is invalid’ – IIS Error 0x800704BE

[Origin]: http://www.therealtimeweb.com/index.cfm/2011/10/24/iis-error-0x800704BE

Oh don’t you just love cryptic error messages that could mean one hundred and one things? Yeah, me too.

So in the interest of some poor soul (maybe it’s you 😉 searching on this topic in the year 2142 I decided to point out what resolved this issue for me.

Background: I am running Windows Server 2008 R2 with IIS inside a Hyper-V instance. The VM was configured with a static IP and each IIS site was configured to bind to that IP, and that IP alone.
I transferred the VM to Amazon EC2 (using the ec2-import-instance API) since I wanted to move away from having to maintain my own physical hardware. Long story short, once transferred I was unable to start any of the IIS sites, they all failed with the error ‘The format of the specified network name is invalid – Error 0x800704BE’.

I knew that this error was likely related to IP bindings of some kind (EC2 usually expects you to use DHCP for IP address assignment since even an elastic IP can change) so I tried binding a few IIS sites to ‘all’ IPs. Still the sites would not start, but throw the above error.

I dug deeper and used the netsh utility (Windows commandline) to show which the network configuration for the machine, and in particular which IPs the HTTP service listens to:

netsh http show iplisten

This listed just one (the previous static) IP of my VM – this was now wrong. So I removed the binding with

netsh http delete iplisten ipaddress=11.22.33.44 (where 11.22.33.44 is the actual IP that needs removing)

Next set the service up to listen to all IPs:

netsh http add iplisten ipaddress=0.0.0.0

I then restarted IIS using

1iisreset

and bingo, the sites started to work.

Hope this helps someone.

IIS does not list a website that matches the launch url

[Origin]: https://stackoverflow.com/questions/10716956/iis-does-not-list-a-website-that-matches-the-launch-url

I need to debug the website i ‘m developing (ASP.NET MVC3, Razor, .NET 4, VS2010 SP1 (as administrator)) in IIS7 (Vista Home) and getting the error:

IIS does not list a website that matches the launch url.

To test if it has to do something with the settings of the app, i did create from scratch an empty new ASP.NET MVC3 website, set for IIS, created virtual directory, launched with F5 and i worked fine!

I again did create a second website project with the exact same settings (just to be sure) and this also launched as expected.

This leads my to think that i have some configuration problem!? But what? In the past i used IIS very rare, so my knowledge is somehow limited in this direction.

Any hints?

shareedit

I hate answering my questions: in my question i stated that i was running VS under the administrator account. This was not true!!!

So the solution (for me) was to run VS2010 as administrator (Start->In Vista menu right click-> Run as administrator)…so simple.

As a side effect: VS2010 let me also create Virtual Directories without any problems (prior to that i got error messages stating that i have to manually adjust these)

shareedit

How to remove error about glyphicons-halflings-regular.woff2 not found

[Origin]: https://stackoverflow.com/questions/32300578/how-to-remove-error-about-glyphicons-halflings-regular-woff2-not-found

This problem happens because IIS does not know about woff and woff2 file mime types.

Solution 1:

Add this lines in your web.config project:

 <system.webServer>
  ...
  </modules>
    <staticContent>
      <remove fileExtension=".woff" />
      <mimeMap fileExtension=".woff" mimeType="application/x-font-woff" />
      <remove fileExtension=".woff2" />
      <mimeMap fileExtension=".woff2" mimeType="application/font-woff2" />
    </staticContent>

Solution 2:

On IIS project page:

Step 1: Go to your project IIS home page and double click on MIME Types button:

Step 1

Step 2: Click on Add button from Actions menu: Step 2

Step 3: In the middle of the screen appears a window and in this window you need to add the two lines from solution 1: Step 3

shareedit

Visual Studio 2013. You do not have sufficient privilege to access IIS web sites on your machine

[Origin]: https://stackoverflow.com/questions/20984624/visual-studio-2013-you-do-not-have-sufficient-privilege-to-access-iis-web-sites

I just installed VS2013 and turned on IIS 7 on my Windows 7 Ultimate x64 machine. When trying to open a solution I get:

Creation of the virtual directory localhost:xxxxx failed with the error: Unable to access the IIS metabase. You do not have sufficient privilege to access IIS web sites on your machine.

I tried running Visual Studio 2013 as Administrator (right click, run as administrator), still the same error. I also did aspnet_regiis -i and it didn’t help either.

shareimprove this question

Go to C:\Windows\System32\inetsrv. Click config folder. You will get a popup – “You don’t have access to this folder – Click continue to permanently get access to this folder”. Perform same for Export folder which is inside config folder. You should be able to open the solution and the web application project will be deployed on IIS.

enter image description here

shareimprove this answer


Solution to “Unable to Launch the IIS Express Web Server”

[Origin]: http://sibeeshpassion.com/solution-to-unable-to-launch-the-iis-express-web-server/

This article will help you to overcome the error Unable to Launch the IIS Express Web Server. Today I encountered the issue “Unable to launch the IIS Express Web Server” while I was running my Visual Studio 2012. So I thought of sharing how to resolve that issue. I hope it will help someone.

Unable to Launch the IIS Express Web Server

Background

In my team we have 5 to 10 members. Since we wanted to do a build for our current application, I used “Get the Latest files from the server”. (We are using TFS.) Then when I run my application I was getting this error.

The cause of this error is, someone has checked in the solution file with his port number (the port number he was using). When I took the latest, it was set in my solution file also. We must take the latest solution file only when it is required. So here I will share the remedy for the preceding issue.

Procedure to solve this issue

Step 1

Right-click on your solution and select Properties as shown in the following figure.

 

Unable to Launch the IIS Express Web Server

 

Step 2

Select “Web” from the left menu.

 

Unable to Launch the IIS Express Web Server

 

Step 3

Under “Use local IIS server” change the port number from http://localhost:58030/ to another one.

 

Unable to Launch the IIS Express Web Server

 

Step 4

Here I have changed http://localhost:58030/ to http://localhost:58031/ .

Bingo! We have done it.

 

Unable to Launch the IIS Express Web Server

 

Step 5

Now please run again your application. The issue will be solved.

Conclusion

Did I miss anything that you may think which is needed? Have you ever faced this issue? Does this solution solve your issue?I hope you liked this article. Please share me your valuable suggestions and feedback.

Your turn. What do you think?

A blog isn’t a blog without comments, but do try to stay on topic. If you have a question unrelated to this post, you’re better off posting it on C# Corner, Code Project, Stack Overflow, Asp.Net Forum instead of commenting here. Tweet or email me a link to your question there and I’ll definitely try to help if I am able to.

Kindest Regards
Sibeesh Venu