Low privileges IIS Application Pools
When you want to create a new application pool you probably want to do this to create an application pool with least privileges for the application that you are going to run with it.
This article describes how to create a user account for use in an IIS application pool. This article is useful when you get one of the following messages:
- The identity of application pool is invalid, so the World Wide Web Publishing Service can not create a worker process to serve the application pool. Therefore, the application pool has been disabled.
- The identity of application pool, is invalid. If it remains invalid when the first request for the application pool is processed, the application pool will be disabled. The data field contains the error number.
There are two accounts types:
- Domain accounts
- Useful when you run a web application on server A but it needs to access resource on another server within the domain. This account type can be created with the active directory users and computers management console on one of the domain controllers in your domain.
- Local accounts
- Useful when the application is only needs access to local files or/and accesses resources out-side of the domain with its own credentials.
Create the account
- Create a user account and store its (complex) password at a 'well known' but secure location.
- Remove it from the User group.
- Add the user account to the IIS_WPG (IIS Worker Process Group) group on the web server where you are going to run the web application.
- Launch the IIS Manager
- Add an application pool
- Change the application pool and specify its identity by entering the newly created account.
The application pool probably needs read and or write access to the file system at the location where the web application is deployed. Give the account read access to the root of the web application folder and only 'modify' rights to folders where it is actually needed. No need to use 'Full control' rights at all.
Incorrect 'Google' hits
At some sites people mention that the user account needs to be part of the 'Act as part of the operating system' policy but this is NOT necessary.
You can now test this new application pool with a (new) web application.