Security Considerations When Choosing an Application Isolation Mode
Applies To: Windows Server 2003, Windows Server 2003 with SP1
When you choose an application isolation mode, keep these security considerations in mind:
Worker process isolation mode. Worker process isolation mode provides better default security for running Web applications than does IIS 5.0 isolation mode. In worker process isolation mode, worker processes run by default as Network Service, which is the account that provides a better balance between security and functionality.
IIS 5.0 isolation mode. Web applications that are set to Low isolation, such as low-isolation ISAPI extensions, run in a process that runs as LocalSystem. The LocalSystem account can read, execute, and change all of the resources on the computer. Thus, if an attack by a malicious user takes over a Web application that runs in Low isolation, many assets of the local computer are open to the attacker. Also, if you set Web applications to Medium or High isolation, they run with IWAM_ComputerName as the default identity, which has fewer rights than LocalSystem.
Windows Server 2003 provides the following built-in system accounts, which you can use to provide the security context for worker processes:
Local Service. Has limited rights on the local computer and limited access (Anonymous) to network resources. Use the Local Service account if the worker process does not require authenticated access to network resources.
Network Service. Has limited rights on the local computer and authenticated access (as the computer account) to network resources.
LocalSystem. Has full access to the system because it belongs to the Administrators group.
Table 3.3 provides additional details about the built-in system accounts that are available in IIS 6.0, and Table 3.4 shows the default security account for both application isolation modes**.**
Table 3.3 Built-in System Accounts in IIS 6.0
| Built-in Account | Privilege Level | Group or Account Used on the Local Machine | Group or Account Used on the Network |
|---|---|---|---|
Local Service |
Least privileged |
Users group |
Anonymous access account |
Network Service |
More privileged |
Users group |
Computer account |
LocalSystem |
Most privileged |
Administrator with full access account |
Computer account |
Table 3.4 Default Security Accounts for Each Application Isolation Mode
| Mode or Options Within a Mode | Default Account |
|---|---|
Worker process isolation mode |
Network Service |
IIS 5.0 isolation mode |
|
ISAPI extensions set to Low isolation that run in Inetinfo.exe |
LocalSystem |
ISAPI extensions set to Medium-isolation that run in pooled out-of-process application hosts |
IWAM_ComputerName |
ISAPI extensions set to High-isolation that run in out-of-process application hosts |
IWAM_ComputerName |
ASP.NET worker processes |
ASPNET |
For more information about built-in security accounts in IIS 6.0 and Windows Server 2003, including IWAM_ComputerName, see Managing a Secure IIS 6.0 Solution and IIS and Built-in Accounts.