CYA: Securing IIS 6.0: Cover Your A** By Getting It Right the First Time

Configuring IIS User Accounts

IIS 6.0 uses a number of built-in Windows accounts, as well as a number of IIS-specific user accounts. The user accounts that are actively used depend on whether IIS 6.0 is running in IIS5 isolation mode or in IIS 6.0 worker process mode (see Chapter 1 for more information on these modes).

By the Book

IIS 6.0 provides two major application processing modes: IIS 6.0 worker process isolation mode and IIS 5.0 isolation mode (for backward compatibility with IIS 5.0 applications).

In IIS 6.0 worker process isolation mode web applications are assigned to web application pools, which can each be configured to use a separate process identity. The core IIS 6.0 services run under LocalSystem.

In IIS 5.0 isolation mode, web applications can either run inside the core IIS processes (running as LocalSystem), or out of process in a separate dllhost.exe process. These processes can be assigned separate process identities.

The default accounts used by IIS 6.0 in worker process isolation mode for running any process that executes user-supplied code are low privilege accounts, which helps reduce the possible damage that a malicious attacker can inflict should an application be compromised.

IIS 6.0 Running in Worker Process Mode

When IIS 6.0 is running in worker process mode, websites and web applications (by default, a website is always configured as a web application) run inside web application pools. Each web application pool is represented by a w3wp.exe process, which is visible in Task Manager. Each w3wp.exe process...

UNLIMITED FREE
ACCESS
TO THE WORLD'S BEST IDEAS

SUBMIT
Already a GlobalSpec user? Log in.

This is embarrasing...

An error occurred while processing the form. Please try again in a few minutes.

Customize Your GlobalSpec Experience

Category: Signal Isolators
Finish!
Privacy Policy

This is embarrasing...

An error occurred while processing the form. Please try again in a few minutes.