What are Default identities in IIS

In IIS (Internet Information Services), default identities are used to specify the security context under which application pools and websites run. The default identities determine the permissions and privileges that the worker processes (w3wp.exe) associated with application pools have when interacting with system resources. Here are the common default identities in IIS:



1. ApplicationPoolIdentity: This is the recommended and default identity used for application pools in recent versions of IIS. When an application pool is configured to use the "ApplicationPoolIdentity" identity, each application pool runs under a unique security context with a corresponding virtual account. The virtual account's name matches the name of the application pool. The ApplicationPoolIdentity is a low-privileged account with restricted permissions, providing better isolation and security.

2. LocalSystem: In older versions of IIS or if specifically configured, an application pool can use the "LocalSystem" identity. The LocalSystem account has extensive privileges on the local machine, making it a powerful but less secure option. Running an application pool under the LocalSystem account can have security implications, as any vulnerabilities in the application pool's code can potentially have wide-ranging effects.

3. LocalService: The "LocalService" identity is another default option for application pools. It is a built-in account with fewer privileges than LocalSystem but more than the NetworkService account. LocalService can access network resources as an anonymous user.

4. NetworkService: The "NetworkService" identity is commonly used in IIS. It has limited permissions compared to LocalSystem and is considered more secure. NetworkService can access network resources using the machine's domain credentials.

5. Custom Account: Instead of using a default identity, it is also possible to specify a custom identity for an application pool. This allows you to use a specific Windows user account or a managed service account to run the application pool. Using a custom account can provide more flexibility but requires appropriate management and maintenance of the account's credentials.

It's important to choose the appropriate default identity or custom account based on the security and functionality requirements of your applications. The ApplicationPoolIdentity is generally recommended due to its increased isolation and security compared to using system-level accounts like LocalSystem.

Post a Comment

Previous Post Next Post