IIS 7 and Above
IIS 7.5 Application Pool idenity account and windows folders
Last post Nov 01, 2010 02:29 PM by Rovastar
Oct 29, 2010 07:36 PM|Milind Panditrao|LINK
I have a problem. My application (ASP.NET) writes certain files in folders on my servers. In IIS 6.0 I used to give write access to IUSR account so that IIS can write to the folder. Now what I see is my application pool runs under App Pool Identity account.
That is good but users are able to create files in the folders without App Pool Identity user being given specific permission to do so.
Has anybody come across the issue?
Oct 30, 2010 12:22 PM|steve schofield|LINK
Have you adjusted the permissions to allow the USERS group to have write perms. By default the USERS group has read / execute, but not modify.
Windows Server MVP - IIS
Log archival solution
Install, Configure, Forget
Oct 30, 2010 11:53 PM|Tad Marshall|LINK
On my Windows 7 (Ultimate, x64) machine, "Authenticated Users" have rights to modify C:\ and other drive root folders (I didn't set this, it must be the default) so if "IIS APPPOOL\DefaultAppPool" or similar (i.e. ApplicationPoolIdentity) is considered part
of "Authenticated Users" then IIS apps are free to create folders (almost) anywhere they want. This seems bad to me ...
Oct 31, 2010 02:49 AM|steve schofield|LINK
Yup your right, my win 7 x64 box has the same perms. Is your machine part of a domain?
Oct 31, 2010 11:24 AM|Tad Marshall|LINK
No, not part of a domain. Clean install of Windows 7 on new hardware, home machine, up-to-date with Windows Update. I don't understand why "Authenticated Users" seems to have more privileges than "Users".
6:36:54.14 C:\Users\Tad> icacls c:\
NT AUTHORITY\Authenticated Users:(OI)(CI)(IO)(M)
NT AUTHORITY\Authenticated Users:(AD)
Mandatory Label\High Mandatory Level:(OI)(NP)(IO)(NW)
Successfully processed 1 files; Failed processing 0 files
So, Authenticated Users have (M) and (AD) permissions that Users don't. Seems odd to me.
But, it seems that DefaultAppPool is NOT getting the Authenticated Users privileges, because looking at Effective Permissions in Explorer for IIS APPPOOL\DefaultAppPool shows no checkmarks for C:\. So, this wouldn't explain the original poster's problem.
Nov 01, 2010 02:29 PM|Rovastar|LINK
This looks to me like an asp.net trust level permissions issue.
With full trust your asp.net you can write data anywhere your code says.
Ask on the sister site to here: http://forums.asp.net