24

I'm a bit confused about how ASP.NET, what user it runs under? On iis 7.5 and on 6.0

A few of the user accounts that I'm not clear on are

  • Network Service
  • IUSR
  • AppPool

Any clarification on the different users would be appreciated and security considerations/etc.

Rob
  • 45,296
  • 24
  • 122
  • 150
Curtis White
  • 6,213
  • 12
  • 59
  • 83

2 Answers2

35

In summary:

  • IIS 5.1 (Windows XP) - it's a local ASPNET account
  • IIS 6 - by default, application pools run under the Network Service account which is a member of IIS_WPG group
  • IIS 7.0 - still Network Service
  • IIS 7 SP2 / 7.5 - runs under an ephemeral thing called ApplicationPoolIdentity which maps to an account IIS APPPOOL\ApplicationPool (e.g. IIS APPPOOL\DefaultAppPool). This account is a member of IIS_IUSRS user group
  • ASP.NET Web Development Server (Cassini) - it's obviously your own account

And it's a good practice to create a custom low-privileged account to run your application especially on PROD environment or when you need to access the network from the application.

Denis Ivin
  • 5,594
  • 1
  • 26
  • 25
6

ASP.net by default runs underneath the IIS_IUSRS user group. So if you need to grant permission to allow your application to run, use that group.

spaetzel
  • 1,252
  • 3
  • 16
  • 23
  • Thanks. Do you if this is the same account for IIS 6 legacy components? I'm trying to setup the pickup directory and not sure what rights it needs. In iis 7.5 they didnt' port this the SMTP service. – Curtis White Feb 18 '11 at 19:39
  • I'm rough on IIS6, but [this page](http://support.microsoft.com/kb/812614) makes it sound like IIS7 runs under "ASPNET" – spaetzel Feb 18 '11 at 19:43