次の方法で共有

Is it ok to Change the IIS6 Service User Account?

  • [アーティクル]

Sigh... security continues to befuddle users... because why would you change the Service User Account from LocalSystem to Local Administrator? Not only is the action unsupported, but the configuration does not work, and it does not help system security... so why even do it?

Question:

Hi all

I run IIS 6.0 and want change Windows service (World Wide Web Publishing) log on from "Local System" to a domain account. Unfortunately I get following error:
"Error 5: Access is denied."

The domain account is in the local admin group.

Do you have an idea why? Many thanks in advance.

Answer:

Unfortunately, what you are attempting to do is unsupported, and the configuration fails by-design. Can you describe what you are TRYING to accomplish, not HOW you want to accomplish it.

Also, you assume that Administrators never get Access Denied... so please read the following blog entry on why that assumption is untrue. 

You cannot change the service user account for any IIS service, such as the "World Wide Web Publishing" service or the "IIS Admin" service. Period. It does not matter if the replacement user account is a Local Administrator. Just because you can do something does not mean it works; we simply did not design IIS to function that way.

Besides being unsupported, changing the service user account from LocalSystem to Local Administrator does not improve security, so...

IIS6, Conceptually

Now, if you are trying to "secure" IIS6 by making it isolate your applications with a specific domain user, that can be easily accomplished in a supported way - just not by what you are doing.

Conceptually, IIS 6 consists of four major interacting pieces - W3SVC, IISADMIN, HTTP, and W3WP.

  • HTTP is the kernel mode driver which picks up data from the network, parses and validates that data as an HTTP request, and then sends that request into user mode for processing by IIS W3WP.
  • IISADMIN is the user mode NT service, running as LocalSystem, which handles all operations to read/write configuration (such as by adminstration scripts, W3SVC, W3WP worker processes, etc). It does NOT run any user code in IIS6 Worker Process Isolation Mode (default on clean OS install).
  • W3SVC is the user mode NT service, running as LocalSystem, which tells HTTP where to send the HTTP requests, performs health-monitoring tasks on the W3WP worker processes handling HTTP requests, and manages other "IIS" functionality like keeping performance counters. It does NOT run any user code.
  • W3WP is the user mode worker process, running with a configurable process identity (defaults to unprivileged Network Service account), which actually processes and executes the HTTP requests. It runs all user code.

From a security perspective, you just need to worry about the process account of W3WP that executes user code because that identity is the worst an exploit can access (I presume that you do the secure thing of configuring authenticated users, including anonymous users, to have lower privileges). And since IIS 6 uses the unprivileged Network Service by default, IIS 6 comes highly secured.

As for the user identity used to execute user code, that really depends on the application framework of the user code. This blog entry describes how user impersonation works on IIS 6.

So, really... one should never need to change the Service User Account for IIS 6 - not only is it unsupported and non-functional, it is also non-necessary because the feature already exists.

//David

Comments

  • Anonymous
    May 16, 2006
    Excellent response.

    "IIS6, Conceptually"
    I was trying to fond this info on MS but got to you first. Nice and clear - thansk
  • Anonymous
    July 18, 2006
    Quoting David"Can you describe what you are TRYING to accomplish, not HOW you want to accomplish it."

    How about service encrypted ASP files? Pre SP1 for Windows 2003 I was able to run the IIS Admin service under a specific user account. I used a certificate associated with this user account to encrypt the asp files being served by IIS.

    As an ASP Developer I need a method to ensure that the ASP Files I write are not accessible by local users.
  • Anonymous
    July 18, 2006
    Arnaldo - Do you actually NEED to use the IIS Admin service to do service encrypted ASP files? Or is it just a matter of convenience?

    What you are trying to accomplish (Service Encrypted ASP files) can be done in a variety of ways. Your usage of IIS Admin Service is not a valid way.

    It sounds like you should write your own little shim EXE, configure it to run as a NT Service with a custom user identity, and possibly set it up as dependent on IIS Admin. It's pretty easy to do all this... and it accomplishes the same thing.

    Please tell me a reason why you must use the IIS Admin service under a specific user account vs any other service under a specific user account.

    //David