IIS 6.0 Documentation > IIS 6.0 Operations Guide > Server Administration Guide > Configuring Servers for Applications > Worker Process Isolation Mode in IIS 6.0

Configuring Application Pool Identity with IIS 6.0 (IIS 6.0)

Important

This feature of IIS 6.0 is available only when IIS is running in worker process isolation mode.

The identity of an application pool is the name of the account under which the application pool's worker process runs. By default, application pools operate under the Network Service account, which has low-level user access rights. That is, this account provides better security against attackers or malicious users who might attempt to take over the computer on which the World Wide Web Publishing Service (WWW service) is running. The LocalService account has low access rights as well, and is useful for situations that do not require access to resources on remote computers. You can configure application pools to run as LocalSystem, which is an account with more user rights than the Network Service or LocalService account. However, be mindful that running an application pool under an account with increased user rights presents a high security risk.

For example, suppose that an Internet Service Provider (ISP) wants to allow customers to upload Common Gateway Interface (CGI) applications and then add them to an application pool. Running CGI-enabled applications in a separate application pool under the Network Service account, with its lower user rights, reduces the risk that these applications will be used to attack the server.

For more information about application pool identities, see Configuring Application Pool Identity in IIS 6.0.

Procedures

Important You must be a member of the Administrators group on the local computer to perform the following procedure or procedures. As a security best practice, log on to your computer by using an account that is not in the Administrators group, and then use the runas command to run IIS Manager as an administrator. At a command prompt, type runas /user:Administrative_AccountName "mmc %systemroot%\system32\inetsrv\iis.msc".

To change the account under which an application pool runs using IIS Manager

In IIS Manager, expand the local computer, expand Application Pools, right-click the application pool, and then click Properties.

Click the Identity tab, and click either Predefined or Configurable. Predefined refers to standard service names, such as Network Service (the default), LocalSystem, or Local Service. Configurable refers to registered user names.

•	If you click Predefined, click a predefined account in the list box.
•	If you click Configurable, in the User name and Password boxes, type the user name and password of the account under which you want the worker process to operate. Then, add the account to the IIS_WPG group.

Click OK.

Important

You must be a member of the Administrators group on the local computer to run scripts and executables. As a security best practice, log on to your computer by using an account that is not in the Administrators group, and then use the runas command to run your script or executable as an administrator. At a command prompt, type runas /profile /user:MyComputer\Administrator cmd to open a command window with administrator rights and then type cscript.exeScriptName (include the script's full path and any known parameters).

To change the account under which an application pool runs using the Adsutil.vbs administration script

1.	From the Start menu, click Run.
2.	In the Open box, type cmd, and click OK.
3.	Switch to the %systemroot%\system32\inetsrv directory.
4.	At the command prompt type cscript adsutil.vbs SET W3SVC/AppPools/AppPoolName/WAMUserName Username
5.	At the command prompt type cscript adsutil.vbs SET W3SVC/AppPools/AppPoolName/WAMUserPass Password

To programmatically change the account under which an application pool runs

In order to change the identity of a worker process in IIS 6.0, set three properties in the metabase under the application pool key that you want to change. Using "TestPool" as an example, and assuming the application pool named "TestPool" already exists, the following JScript snippet would change the application pool identity.

var appPool = GetObject("IIS://localhost/w3svc/AppPools/TestPool" );
// Tell IIS to use configurable identity for worker process
appPool.AppPoolIdentityType = 3;
// Set username
appPool.WAMUserName = "myuser";
// Set password
appPool.WAMUserPass = "myuserpass";
// Save changes to the IIS metabase
appPool.SetInfo();

Top of page