IIS AppPoolIdentity and file system write access permissions

[Origin]: https://stackoverflow.com/questions/5437723/iis-apppoolidentity-and-file-system-write-access-permissions

Here’s an issue with IIS 7.5 and ASP.NET that I’ve been researching and getting nowhere with. Any help would be greatly appreciated.

My question is: using ASP.NET in IIS 7.5, how does IIS and/or the operating system allow the web application to write to a folder like C:\dump when running under full trust? How is it that I don’t have to explicitly add write access for the application pool user (in this case ApplicationPoolIdentity)?

This much I know:

  • In IIS 7.5, the default Identity for an Application Pool is ApplicationPoolIdentity.
  • ApplicationPoolIdentity represents a Windows user account called “IIS APPPOOL\AppPoolName”, which is created when the Application Pool is created, where AppPoolName is the name of the Application Pool.
  • The “IIS APPPOOL\AppPoolName” user is by default a member of the IIS_IUSRS group.
  • If you are running under Full Trust, your web application can write to many areas of the file system (excluding folders like C:\UsersC:\Windows, etc). For example, your application will have access to write to some folders, like, C:\dump.
  • By default, the IIS_IUSRS group is not given read or write access to C:\dump (at least not access that is visible through the “Security” tab in Windows Explorer).
  • If you deny write access to IIS_IUSRS, you will get a SecurityException when trying to write to the folder (as expected).

So, taking all of that into account, how is write access granted to the “IIS APPPOOL\AppPoolName” user? The w3wp.exe process runs as this user, so what allows this user to write to a folder it doesn’t seem to have explicit access to?

Please note that I understand this was probably done for the sake of convenience, since it would be a pain to grant a user access to every folder it needs to write to if you are running under Full Trust. If you want to limit this access, you can always run the application under Medium Trust. I am interested in finding out about the way the operating system and/or IIS allows these writes to take place, even though there appears to be no explicit file system access granted.

The ApplicationPoolIdentity is assigned membership of the Users group as well as the IIS_IUSRS group. On first glance this may look somewhat worrying, however the Users group has somewhat limited NTFS rights.

For example, if you try and create a folder in the C:\Windows folder then you’ll find that you can’t. The ApplicationPoolIdentity still needs to be able to read files from the windows system folders (otherwise how else would the worker process be able to dynamically load essential DLL’s).

With regard to your observations about being able to write to your c:\dump folder. If you take a look at the permissions in the Advanced Security Settings, you’ll see the following:

enter image description here

See that Special permission being inherited from c:\:

enter image description here

That’s the reason your site’s ApplicationPoolIdentity can read and write to that folder. That right is being inherited from the c:\ drive.

In a shared environment where you possibly have several hundred sites, each with their own application pool and Application Pool Identity, you would store the site folders in a folder or volume that has had the Users group removed and the permissions set such that only Administrators and the SYSTEM account have access (with inheritance).

You would then individually assign the requisite permissions each IIS AppPool\[name] requires on it’s site root folder.

You should also ensure that any folders you create where you store potentially sensitive files or data have the Users group removed. You should also make sure that any applications that you install don’t store sensitive data in their c:\program files\[app name] folders and that they use the user profile folders instead.

So yes, on first glance it looks like the ApplicationPoolIdentity has more rights than it should, but it actually has no more rights than it’s group membership dictates.

An ApplicationPoolIdentity‘s group membership can be examined using the SysInternals Process Explorer tool. Find the worker process that is running with the Application Pool Identity you’re interested in (you will have to add the User Name column to the list of columns to display:

enter image description here

For example, I have a pool here named 900300 which has an Application Pool Identity of IIS APPPOOL\900300. Right clicking on properties for the process and selecting the Security tab we see:

enter image description here

As we can see IIS APPPOOL\900300 is a member of the Users group.

  1. Right click on folder.
  2. Click Properties
  3. Click Security Tab. You will see something like this:

enter image description here

  1. Click “Edit…” button in above screen. You will see something like this:

enter image description here

  1. Click “Add…” button in above screen. You will see something like this:

enter image description here

  1. Click “Locations…” button in above screen. You will see something like this. Now, go to the very of top of this tree structure and select your computer name, then click OK.

enter image description here

  1. Now type “iis apppool\your_apppool_name” and click “Check Names” button. If the apppool exists, you will see your apppool name in the textbox with underline in it. Click OK button.

enter image description here

  1. Check/uncheck whatever access you need to grant to the account
  2. Click Apply button and then OK.
Advertisements

How to recognize phishing email messages, links, or phone calls

[Origin]: https://www.microsoft.com/en-us/safety/online-privacy/phishing-symptoms.aspx

How to recognize phishing email messages, links, or phone calls

Phishing email messages, websites, and phone calls are designed to steal money. Cybercriminals can do this by installing malicious software on your computer or stealing personal information off of your computer.

Cybercriminals also use social engineering to convince you to install malicious software or hand over your personal information under false pretenses. They might email you, call you on the phone, or convince you to download something off of a website.

What does a phishing email message look like?

Here is an example of what a phishing scam in an email message might look like.

What is phishing

  • Spelling and bad grammar. Cybercriminals are not known for their grammar and spelling. Professional companies or organizations usually have a staff of copy editors that will not allow a mass email like this to go out to its users. If you notice mistakes in an email, it might be a scam. For more information, see Email and web scams: How to help protect yourself.
  • Beware of links in email. If you see a link in a suspicious email message, don’t click on it. Rest your mouse (but don’t click) on the link to see if the address matches the link that was typed in the message. In the example below the link reveals the real web address, as shown in the box with the yellow background. The string of cryptic numbers looks nothing like the company’s web address.

    Phishing scams masked web address

    Links might also lead you to .exe files. These kinds of file are known to spread malicious software.

  • Threats. Have you ever received a threat that your account would be closed if you didn’t respond to an email message? The email message shown above is an example of the same trick. Cybercriminals often use threats that your security has been compromised. For more information, see Watch out for fake alerts.
  • Spoofing popular websites or companies. Scam artists use graphics in email that appear to be connected to legitimate websites but actually take you to phony scam sites or legitimate-looking pop-up windows. For more information, see Avoid scams that use the Microsoft name fraudulently.

    Cybercriminals also use web addresses that resemble the names of well-known companies but are slightly altered. For more information, see Protect yourself from cybersquatting and fake web addresses.

Beware of phishing phone calls

Cybercriminals might call you on the phone and offer to help solve your computer problems or sell you a software license. Neither Microsoft nor our partners make unsolicited phone calls (also known as cold calls) to charge you for computer security or software fixes.

Once they’ve gained your trust, cybercriminals might ask for your user name and password or ask you to go to a website to install software that will let them access your computer to fix it. Once you do this, your computer and your personal information is vulnerable.

Treat all unsolicited phone calls with skepticism. Do not provide any personal information.

For more information, see Avoid tech support phone scams.

Report phishing scams

If you receive a fake phone call, take down the caller’s information and report it to your local authorities.

Whenever you receive a phone call or see a pop-up window on your PC and feel uncertain whether it is from someone at Microsoft, don’t take the risk. Reach out directly to one of our technical support experts dedicated to helping you at the Microsoft Answer Desk. Or you can simply call us at 1-800-426-9400 or one of our customer service phone numbers for people located around the world.

You can use Microsoft tools to report a suspected scam on the web or in email.

  • Internet Explorer. While you are on a suspicious site, click the gear icon and then point to Safety. Then click Report Unsafe Website and use the web page that is displayed to report the website.
  • Outlook.com (formerly Hotmail). If you receive a suspicious email message that asks for personal information, click the check box next to the message in your Outlook inbox. Click the arrow next to Junk and then point to Phishing scam.
  • Microsoft Office Outlook 2010 and 2013. Right-click the suspicious message, point to Junk, and then click Report Junk.

IIS_IUSRS and IUSR permissions in IIS8

[Origin]: http://stackoverflow.com/questions/14934006/iis-iusrs-and-iusr-permissions-in-iis8

I’ve just moved away from IIS6 on Win2003 to IIS8 on Win2012 for hosting ASP.NET applications.

Within one particular folder in my application I need to Create & Delete files. After copying the files to the new server, I kept seeing the following errors when I tried to delete files:

Access to the path ‘D:\WebSites\myapp.co.uk\companydata\filename.pdf’ is denied.

When I check IIS I see that the application is running under the DefaultAppPool account, however, I never set up Windows permissions on this folder to include IIS AppPool\DefaultAppPool

Instead, to stop screaming customers I granted the following permissions on the folder:

IUSR

  • Read & Execute
  • List Folder Contents
  • Read
  • Write

IIS_IUSRS

  • Modify
  • Read & Execute
  • List Folder Contents
  • Read
  • Write

This seems to have worked, but I am concerned that too many privileges have been set. I’ve read conflicting information online about whether IUSR is actually needed at all here. Can anyone clarify which users/permissions would suffice to Create and Delete documents on this folder please? Also, is IUSR part of the IIS_IUSRS group?

Update & Solution

Please see my answer below. I’ve had to do this sadly as some recent suggestions were not well thought out, or even safe (IMO).

shareedit

I hate to post my own answer, but some answers recently have ignored the solution I posted in my own question, suggesting approaches that are nothing short of foolhardy.

In short – you do not need to edit any Windows user account privileges at all. Doing so only introduces risk. The process is entirely managed in IIS using inherited privileges.

Applying Modify/Write Permissions to the Correct User Account

  1. Right-click the domain when it appears under the Sites list, and choose Edit Permissions

    enter image description here

    Under the Security tab, you will see MACHINE_NAME\IIS_IUSRS is listed. This means that IIS automatically has read-only permission on the directory (e.g. to run ASP.Net in the site). You do not need to edit this entry.

    enter image description here

  2. Click the Edit button, then Add…
  3. In the text box, type IIS AppPool\MyApplicationPoolName, substituting MyApplicationPoolNamewith your domain name, e.g. IIS AppPool\mydomain.com

    enter image description here

  4. Press the Check Names button. The text you typed will transform (notice the underline):

    enter image description here

  5. Press OK to add the user
  6. With the new user (your domain) selected, now you can safely provide any Modify or Write permissions

    enter image description here

shareedit