Specify an Identity for an Application Pool (IIS 7)
Applies To: Windows 7, Windows Server 2008, Windows Server 2008 R2, Windows Vista
The identity of an application pool is the name of the service account under which the application pool's worker process runs. By default, application pools operate under the Network Service user account, which has low-level user rights. You can configure application pools to run under one of the built-in user accounts in the Windows Server® 2008 operating system. For example, you can specify the Local System user account, which has higher-level user rights than either the Network Service or Local Service built-in user accounts. However, remember that running an application pool under an account that has high-level user rights is a serious security risk.
You can also configure a custom account to serve as an application pool's identity. Any custom account you choose should have only the minimum rights that your application requires. A custom account is useful in the following situations:
When you want to improve security and make it easier to trace security events to the corresponding application.
When you are hosting Web sites for multiple customers on a single Web server. If you use the same process account for multiple customers, source code from one customer's application may be able to access source code from another customer's application. In this case, you should also configure a custom account for the anonymous user account.
When an application requires rights or permissions in addition to the default permissions for an application pool. In this case, you can create an application pool and assign a custom identity to the new application pool.
Prerequisites
For information about the levels at which you can perform this procedure, and the modules, handlers, and permissions that are required to perform or this procedure, see Application Pools Feature Requirements (IIS 7).
Exceptions to Feature Requirements
- None
To specify an identity for an application pool
You can perform this procedure by using the user interface (UI), by running Appcmd.exe commands in a command-line window, by editing configuration files directly, or by writing WMI scripts.
User Interface
To use the UI
Open IIS Manager. For information about opening IIS Manager, see Open IIS Manager (IIS 7).
In the Connections pane, expand the server node and click Application Pools.
On the Application Pools page, select the application pool for which you want to specify an identity, and then click Advanced Settings in the Actions pane.
For the Identity property, click the ... button to open the Application Pool Identity dialog box.
If you want to use a built-in account, select the Built-in account option and select an account from the list.
If you want to use a custom identity, select the Custom account option and click Set to open the Set Credentials dialog box. Then type the custom account name in the User name text box, type a password in the Password text box, retype the password in the Confirm password text box, and then click OK.
Click OK to dismiss the Application Pool Identity dialog box.
Command Line
To specify the account identity for an application pool to use, use the following syntax:
appcmd set config /section:applicationPools /[name='string'].processModel.identityType:SpecificUser|NetworkService|LocalService|LocalSystem
The variable string is the name of the application pool that you want to configure. For example, to change the identity type from Network Service to Local Service for an application pool named Marketing, type the following at the command prompt, and then press ENTER:
appcmd set config /section:applicationPools /[name='Marketing'].processModel.identityType:LocalService
To configure an application pool to use a custom identity, use the following syntax:
**appcmd set config /section:applicationPools /[name='string'].processModel.identityType:SpecificUser|NetworkService|LocalService|LocalSystem /[name='string'].processModel.userName:**string **/[name='string'].processModel.password:**string
The variable name string is the name of the application pool that you want to configure, userName string is the user name of the account that you want the application pool to use, and password string is the password for the account. For example, to configure an application pool named Marketing to use a custom identity with a user name of Marketer and a password of M@dr1d$P, type the following at the command prompt, and then press ENTER:
appcmd set config /section:applicationPools /[name='Marketing'].processModel.identityType:SpecificUser /[name='Marketing'].processModel.userName:Marketer /[name='Marketing'].processModel.password: M@dr1d$P
For more information about Appcmd.exe, see Appcmd.exe (IIS 7).
Configuration
The procedure in this topic affects the following configuration elements:
identityType attribute of the <processModel> element under <add> under <applicationPools>
For more information about IIS 7 configuration, see IIS 7.0: IIS Settings Schema on MSDN.
WMI
Use the following WMI classes, methods, or properties to perform this procedure:
- ApplicationPool.ProcessModel.IdentityType property
For more information about WMI and IIS, see Windows Management Instrumentation (WMI) in IIS 7. For more information about the classes, methods, or properties associated with this procedure, see the IIS WMI Provider Reference on the MSDN site.