0

So I know that variations on this question have been asked tons of times, but I'm still confused so I'm hoping to ask as simply as I can and hopefully you'll be able to answer as simply as you can.

In IIS7.5, I have a website that run under an application pool identity of "NetworkService". The anonymous user always runs as IUSR.

When an anonymous user opens my web page and tries to trigger an action that will write information to a file, is it NetworkService that needs write permission on the folder or is it IUSR?

It's tricky to understand as, logically, if the application is running as NetworkService and the application is trying to write the file, then the application account should be the one with the permissions. However, this would seem to make the user identity redundant. So does my application authenticate as the user or as the application?

Ambulare
  • 141

1 Answers1

1

This depends whether you're using ASP.NET with impersonation or not (either ASP.NET without impersonation or no ASP.NET at all).
Impersonation causes the .NET code to be executed with the visiting user's security context (if they're anonymous, IUSR. If not - their own account). It's a security issue and has little use, but a lot of less experienced developers/admins enable it because it seems to magically solve "access denied" issues.

If you don't have impersonation enabled (good for you!) the security context is the one of the application pool.

If you don't believe me, you can choose a file and change its permissions to allow writes/modifications by a single user (e.g. IUSR), and see if your site can modify it now.

Nitz
  • 1,078