IIS and Built-in Accounts (IIS 6.0)

IIS uses a number of built-in Windows accounts, as well as accounts that are specific to IIS. For security reasons, you should be aware of the different accounts and their default user privileges. It can be a security risk to change the identity of a worker process so that it runs as an account with a high level of access, such as the LocalSystem user account.

LocalSystem

The built-in LocalSystem user account has a high level of access privileges; it is part of the Administrators group. If a worker process identity runs as the LocalSystem user account, that worker process has full access to the entire system. When IIS 6.0 is running in IIS 5.0 isolation mode, this is the default user account for worker process identities. LocalSystem has one default user right, Full access.

Network Service

The built-in Network Service user account has fewer access privileges on the system than the LocalSystem user account, but the Network Service user account is still able to interact throughout the network with the credentials of the computer account. For IIS 6.0, it is recommended that the worker process identity that is defined for application pools run as the Network Service user account, which is the default setting. The following table shows the default user privileges for the Network Service account, along with how each privilege is derived.

PrivilegeSource

Replace a process-level token (SeAssignPrimaryTokenPrivilege)

Explicit assignment

Adjust memory quotas for a process (SeIncreaseQuotaPrivilege)

Explicit assignment

Generate security audits (SeAuditPrivilege)

Explicit assignment

Bypass traverse checking (SeChangeNotifyPrivilege)

Through membership in the Everyone group

Access this computer from the network (SeNetworkLogonRight)

Through membership in the Everyone group

Log on as a batch job (SeBatchLogonRight)

Through membership in the IIS_WPG group

Log on as a service (SeInteractiveLogonRight)

Explicit assignment

Impersonate a client after authentication

Through membership in the IIS_WPG group

Local Service

The built-in Local Service user account has fewer access privileges on the computer than the Network Service user account, and those user privileges are limited to the local computer. Use the Local Service user account if the worker process does not require access outside the server on which it is running. The following table shows the default user privileges for the Local Service account, along with how each privilege is derived.

PrivilegeSource

Replace a process-level token (SeAssignPrimaryTokenPrivilege)

Explicit assignment

Adjust memory quotas for a process (SeIncreaseQuotaPrivilege)

Explicit assignment

Generate security audits (SeAuditPrivilege)

Explicit assignment

Bypass traverse checking (SeChangeNotifyPrivilege)

Through membership in the Everyone group

Access this computer from the network (SeNetworkLogonRight)

Through membership in the Everyone group

Log on as a batch job (SeBatchLogonRight)

Explicit assignment

IIS_WPG

The IIS IIS_WPG group account has the minimum permissions and user privileges that are necessary to start and run a worker process on a Web server. Application pool identities must be members of this group so the application pool can register with Http.sys. The following table shows the default user privileges for the IIS_WPG account, along with how each privilege is derived.

PrivilegeSource

Access this computer from the network (SeNetworkLogonRight)

Through membership in the Everyone group

Bypass traverse checking (SeChangeNotifyPrivilege)

Through membership in the Everyone group

Impersonate a client after authentication (SeImpersonatePrivilege)

Explicit assignment

Log on as a batch job (SeBatchLogonRight)

Explicit assignment

IUSR_ComputerName

The IIS IUSR_ComputerName user account is for anonymous access to IIS. By default, when a user accesses a Web site that uses Anonymous authentication, that user is mapped to the IUSR_ComputerName account. The following table shows the default user privileges for the IUSR_ComputerName account, along with how each privilege is derived.

PrivilegeSource

Access this computer from the network (SeNetworkLogonRight)

Explicit assignment

Allow log on locally (SeInteractiveLogonRight)

Explicit assignment

Bypass traverse checking (SeChangeNotifyPrivilege)

Through membership in the Everyone group

Log on as a batch job (SeBatchLogonRight)

Explicit assignment

IWAM_ComputerName

The IIS IWAM_ComputerName user account is for starting out-of-process applications in IIS 5.0 isolation mode. The following table shows the default user privileges for the IWAM_ComputerName account, along with how each privilege is derived.

PrivilegeSource

Access this computer from the network (SeNetworkLogonRight)

Explicit assignment

Adjust memory quotas for a process (SeIncreaseQuotaPrivilege)

Explicit assignment

Bypass traverse checking (SeChangeNotifyPrivilege)

Through membership in the Everyone group

Log on as a batch job (SeBatchLogonRight)

Explicit assignment

Replace a process-level token (SeAssignPrimaryTokenPrivilege)

Explicit assignment

ASPNET

The built-in ASPNET user account is for running the ASP.NET worker process in IIS 5.0 isolation mode. The following table shows the default user privileges for the ASPNET account, along with how each privilege is derived.

PrivilegeSource

Access this computer from the network (SeNetworkLogonRight)

Explicit assignment

Allow logon locally (SeInteractiveLogonRight)

Through membership in the Users group

Bypass traverse checking (SeChangeNotifyPrivilege)

Through membership in the Users group

Deny logon locally (SeDenyInteractiveLogonRight)

Explicit assignment

Log on as a batch job (SeBatchLogonRight)

Explicit assignment

Log on as a service (SeInteractiveLogonRight)

Explicit assignment



© 2015 Microsoft Corporation. All rights reserved. Contact Us |Terms of Use |Trademarks |Privacy & Cookies
Microsoft