66

I have a new Win7 workstation and I am trying to get ScrewTurn Wiki to run on the machine. My STW installation is using the file system option to store its data, and as such I need to give write permissions to the ASP.NET worker process in the folder the website is installed in.

HOWEVER, I cannot seem to be able to come up with name of the worker process in Win7 in order to add it to the permissions for the folder. In XP it was ASPNET_WP, if I remember correctly, but that is not its name in Win7.

Can someone please tell me?

Edited to add:

In response to @Dragan_Radivojevic, here's what the application pool in question looks like (named ScrewTurnWiki):

IIS7 Application Pools

The Identity is "ApplicationPoolIdentity"

Cyberherbalist
  • 12,061
  • 17
  • 83
  • 121
  • Possible duplicate of [IIS7 folder permissions for web application](https://stackoverflow.com/questions/2532079/iis7-folder-permissions-for-web-application) – KyleMit Oct 24 '17 at 18:44

4 Answers4

142

Giving write permissions to all IIS_USRS group is a bad idea from the security point of view. You dont need to do that and you can go with giving permissions only to system user running the application pool.

If you are using II7 (and I guess you do) do the following.

  1. Open IIS7
  2. Select Website for which you need to modify permissions
  3. Go to Basic Settings and see which application pool you're using.
  4. Go to Application pools and find application pool from #3
  5. Find system account used for running this application pool (Identity column)
  6. Navigate to your storage folder in IIS, select it and click on Edit Permissions (under Actions sub menu on the right)
  7. Open security tab and add needed permissions only for user you identified in #3

Note #1: if you see ApplicationPoolIdentity in #3 you need to reference this system user like this IIS AppPool{application_pool_name} . For example IIS AppPool\DefaultAppPool

Note #2: when adding this user make sure to set correct locations in the Select Users or Groups dialog. This needs to be set to local machine because this is local account.

Dragan Radivojevic
  • 1,992
  • 2
  • 13
  • 14
  • 5
    Looks good, but the Identity in question does not get recognized by the system as a user, and a search (via the Advanced button) does not find it, either. I'm working with my workstation, however, and not a server. I am behind two firewalls, and I don't think that IIS_IUSRS is all that exposed. – Cyberherbalist Feb 01 '13 at 21:53
  • Try searching for user like I showed above "IIS AppPool{application_pool_name}. For example IIS AppPool\DefaultAppPool" – Dragan Radivojevic Feb 02 '13 at 00:03
  • No luck; I could find no such user. Does it matter if this is a 64-bit Windows 7 workstation? – Cyberherbalist Feb 04 '13 at 16:51
  • It shouldn't matter. Can you tell me what exactly do you see in Identity column for that application pool? So, just to be 100% clear. Go to IIS Manager -> Application Pools -> identify App pool running your website and tell me what's under Identity column. – Dragan Radivojevic Feb 04 '13 at 18:35
  • 2
    I've added a screenshot to illustrate what the app pools look like. – Cyberherbalist Feb 04 '13 at 18:46
  • 2
    Got it. You should be able to find user like this "IIS AppPool\ScrewTurnWiki" (without quotes). Pls let me know if this works for you. – Dragan Radivojevic Feb 04 '13 at 18:53
  • I tried this locally using same app pool as you provided and it worked just fine for me (win 7 x64 and IIS 7) – Dragan Radivojevic Feb 04 '13 at 18:55
  • 3
    At last. When I first tried this, it still didn't work (I think I had already tried it previously), but your "I tried this *locally*..." made me wonder if maybe I was using the wrong domain. I've not done a lot of this so, anyway, I noticed that the "From this locations" value was a network name, not the local machine. Using the Locations button I set this to the machine's name, and then your suggestion worked! Please modify your answer to cover this little wrinkle and I will mark your answer as "Accepted" - and thanks for your assistance! – Cyberherbalist Feb 04 '13 at 21:44
  • Great! Glad it worked! I updated the answer to include additional info. – Dragan Radivojevic Feb 04 '13 at 21:57
  • 2
    #6 ) "Navigate to your storage folder in IIS" Do you mean content view? Or you mean Select the website? There is an explore option then you are not in IIS anymore. – Blue Clouds Apr 27 '16 at 07:45
  • @DraganRadivojevic how do i go about #5? – Smith Oct 03 '17 at 12:31
  • 1
    This works, but searching for the user doesn't work at least in environments I own. I typically go to "Advanced->Find Now" to get a list of all accounts on the machine, but for whatever reason, IIS AppPool\apppoolname accounts don't show there and query-by-name is greyed out. The only way to do this is to type IIS AppPool\apppoolname in the "Add User" dialog with "MACHINENAME" selected as the location. If you are using ApplicationIdentity and not impersonating, then this is the correct account to grant access to on-machine folders. – Daniel Jul 13 '18 at 15:25
  • @Daniel Thx, that was the hint: " IIS AppPool\apppoolname" – Bluefire May 05 '23 at 13:29
35

I know this is an old thread but to further expand the answer here, by default IIS 7.5 creates application pool identity accounts to run the worker process under. You can't search for these accounts like normal user accounts when adding file permissions. To add them into NTFS permission ACL you can type the entire name of the application pool identity and it will work.

It is just a slight difference in the way the application pool identity accounts are handle as they are seen to be virtual accounts.

Also the username of the application pool identity is "IIS AppPool\application pool name" so if it was the application pool DefaultAppPool the user account would be "IIS AppPool\DefaultAppPool".

These can be seen if you open computer management and look at the members of the local group IIS_IUSRS. The SID appended to the end of them is not need when adding the account into an NTFS permission ACL.

Hope that helps

steve
  • 351
  • 3
  • 3
15

My immediate solution (since I couldn't find the ASP.NET worker process) was to give write (that is, Modify) permission to IIS_IUSRS. This worked. I seem to recall that in WinXP I had to specifically given the ASP.NET worker process write permission to accomplish this. Maybe my memory is faulty, but anyway...

@DraganRadivojevic wrote that he thought this was dangerous from a security viewpoint. I do not disagree, but since this was my workstation and not a network server, it seemed relatively safe. In any case, his answer is better and is what I finally settled on after chasing down a fail-path due to not specifying the correct domain for the AppPool user.

Cyberherbalist
  • 12,061
  • 17
  • 83
  • 121
4

The full command would be something like below, notice the quotes

icacls "c:\inetpub\wwwroot\tmp" /grant "IIS AppPool\DefaultAppPool:F"

namvan
  • 51
  • 1