Organizational Research By

Surprising Reserch Topic

Question:Applications Are Denied Access to Resources



asked Sep 13, 2013 in IIS by rajesh
edited Sep 12, 2013
0 votes
22 views



Related Hot Questions

2 Answers

0 votes

Applications Are Denied Access to Resources

After a clean install, IIS 6.0 runs in worker process isolation mode. Applications running in this mode use the Network Service identity, by default. Network Service is an account with few user rights and therefore provides better security by restricting access to resources on the Web server. If you migrate applications to IIS 6.0 while the server is in worker process isolation mode, and if your applications previously ran in-process (in Inetinfo.exe) as LocalSystem, the applications may fail to access resources because of the restrictions set forth by the Network Service identity. The LocalSystem account has access to almost all resources on the operating system, and therefore creates serious security implications. You should avoid using the LocalSystem account when possible. If it is absolutely necessary to use the LocalSystem account on an application, run that application in a new application pool in its own virtual directory so you can reduce the attack surface by isolating the application. As an alternative, and if your application needs permission to use the Trusted Computing Base (TCB), run the application as a configurable identity and assign the TCB permission to the configurable identity. This alternative, however, still presents a security risk because the TCB permission is very powerful.

For more information, see Configuring Worker Process Identities and IIS and Built-in Accounts in the Help that comes with IIS Manager

answered Sep 13, 2013 by rajesh
edited Sep 12, 2013 by rajesh
0 votes

Applications Are Denied Access to Resources

After a clean install, IIS 6.0 runs in worker process isolation mode. Applications running in this mode use the Network Service identity, by default. Network Service is an account with few user rights and therefore provides better security by restricting access to resources on the Web server. If you migrate applications to IIS 6.0 while the server is in worker process isolation mode, and if your applications previously ran in-process (in Inetinfo.exe) as LocalSystem, the applications may fail to access resources because of the restrictions set forth by the Network Service identity. The LocalSystem account has access to almost all resources on the operating system, and therefore creates serious security implications. You should avoid using the LocalSystem account when possible. If it is absolutely necessary to use the LocalSystem account on an application, run that application in a new application pool in its own virtual directory so you can reduce the attack surface by isolating the application. As an alternative, and if your application needs permission to use the Trusted Computing Base (TCB), run the application as a configurable identity and assign the TCB permission to the configurable identity. This alternative, however, still presents a security risk because the TCB permission is very powerful.

For more information, see Configuring Worker Process Identities and IIS and Built-in Accounts in the Help that comes with IIS Manager

answered Sep 13, 2013 by rajesh
edited Sep 12, 2013 by rajesh

...