IIS and Built-in Accounts
Applies To: Windows Server 2003, Windows Server 2003 with SP1
IIS uses a number of built-in Windows accounts, as well as accounts that are specific to IIS. For security reasons, you should be aware of the different accounts and their default user privileges. It can be a security risk to change the identity of a worker process so that it runs as an account with a high level of access, such as the LocalSystem user account.
LocalSystem
The built-in LocalSystem user account has a high level of access privileges; it is part of the Administrators group. If a worker process identity runs as the LocalSystem user account, that worker process has full access to the entire system. When IIS 6.0 is running in IIS 5.0 isolation mode, this is the default user account for worker process identities. LocalSystem has one default user right, Full access.
Network Service
The built-in Network Service user account has fewer access privileges on the system than the LocalSystem user account, but the Network Service user account is still able to interact throughout the network with the credentials of the computer account. For IIS 6.0, it is recommended that the worker process identity that is defined for application pools run as the Network Service user account, which is the default setting. The following table shows the default user privileges for the Network Service account, along with how each privilege is derived.
Privilege | Source |
---|---|
Replace a process-level token (SeAssignPrimaryTokenPrivilege) |
Explicit assignment |
Adjust memory quotas for a process (SeIncreaseQuotaPrivilege) |
Explicit assignment |
Generate security audits (SeAuditPrivilege) |
Explicit assignment |
Bypass traverse checking (SeChangeNotifyPrivilege) |
Through membership in the Everyone group |
|
Through membership in the Everyone group |
|
Through membership in the IIS_WPG group |
|
Explicit assignment |
|
Through membership in the IIS_WPG group |
Local Service
The built-in Local Service user account has fewer access privileges on the computer than the Network Service user account, and those user privileges are limited to the local computer. Use the Local Service user account if the worker process does not require access outside the server on which it is running. The following table shows the default user privileges for the Local Service account, along with how each privilege is derived.
Privilege | Source |
---|---|
Replace a process-level token (SeAssignPrimaryTokenPrivilege) |
Explicit assignment |
Adjust memory quotas for a process (SeIncreaseQuotaPrivilege) |
Explicit assignment |
Generate security audits (SeAuditPrivilege) |
Explicit assignment |
Bypass traverse checking (SeChangeNotifyPrivilege) |
Through membership in the Everyone group |
|
Through membership in the Everyone group |
|
Explicit assignment |
IIS_WPG
The IIS IIS_WPG group account has the minimum permissions and user privileges that are necessary to start and run a worker process on a Web server. Application pool identities must be members of this group so the application pool can register with Http.sys. The following table shows the default user privileges for the IIS_WPG account, along with how each privilege is derived.
Privilege | Source |
---|---|
Access this computer from the network (SeNetworkLogonRight) |
Through membership in the Everyone group |
Bypass traverse checking (SeChangeNotifyPrivilege) |
Through membership in the Everyone group |
Impersonate a client after authentication (SeImpersonatePrivilege) |
Explicit assignment |
|
Explicit assignment |
IUSR_ComputerName
The IIS IUSR_ComputerName user account is for anonymous access to IIS. By default, when a user accesses a Web site that uses Anonymous authentication, that user is mapped to the IUSR_ComputerName account. The following table shows the default user privileges for the IUSR_ComputerName account, along with how each privilege is derived.
Privilege | Source |
---|---|
Access this computer from the network (SeNetworkLogonRight) |
Explicit assignment |
|
Explicit assignment |
Bypass traverse checking (SeChangeNotifyPrivilege) |
Through membership in the Everyone group |
|
Explicit assignment |
IWAM_ComputerName
The IIS IWAM_ComputerName user account is for starting out-of-process applications in IIS 5.0 isolation mode. The following table shows the default user privileges for the IWAM_ComputerName account, along with how each privilege is derived.
Privilege | Source |
---|---|
Access this computer from the network (SeNetworkLogonRight) |
Explicit assignment |
|
Explicit assignment |
Bypass traverse checking (SeChangeNotifyPrivilege) |
Through membership in the Everyone group |
|
Explicit assignment |
|
Explicit assignment |
ASPNET
The built-in ASPNET user account is for running the ASP.NET worker process in IIS 5.0 isolation mode. The following table shows the default user privileges for the ASPNET account, along with how each privilege is derived.
Privilege | Source |
---|---|
Access this computer from the network (SeNetworkLogonRight) |
Explicit assignment |
|
Through membership in the Users group |
Bypass traverse checking (SeChangeNotifyPrivilege) |
Through membership in the Users group |
|
Explicit assignment |
|
Explicit assignment |
|
Explicit assignment |