Understanding IUSR_<machine> account

Namely how is setting read/write permission for this account different from giving read/write access in the IIS (Windows 2003, so it should be IIS6 if I am not mistaken).

Here is the issue: It looks like we had a security sweep and as a part of that IUSR account lost write access everywhere. A whole bunch of legacy ASP sites didn't like that at all...

My very surfacish understanding is that it is enough to deny write access in the IIS console to protect a website from someone just dropping random files into it, and IUSR access only has effect on the application scripts running server side, and thus can be safely given write access back.

edit:

The applications in question obviously require write access to their own web folders, otherwise this wouldn't be an issue at all. Question is how to configure IIS/application to both satisfy security and make them work. My first instinct was to change account which is used to run the app pool. However that is already set to NETWORK_SERVICE, and that guy already has full access to folders in question.


Solution 1:

Most people have a hard time understanding the difference between IIS' anonymous user (IUSR_...) and the account used executing binaries (the application pool account).

The IUSR account is used when the user isn't authenticated on the server which is - for "normal" websites - is the default use case. For intranet sites you could disable anonymous access to the IIS server and let users (automatically) submit their network/domain credentials.

The anonymous account's permissions on files and folders determines which resources (files) the normal web user can access on that server. Normally all (static) files are read-only and you don't allow listing of the folder content.

The application pool identity (e.g. the Network Service account) is something different. It's the account that executes your scripts or assemblies, the process identity. For example, if your application wants to write to a certain folder (e.g. C:\temp) that account must have the filesystem permission to modify files in that folder.

Here are some links for additional information:

  • Understanding Built-In User and Group Accounts in IIS 7 (learn.iis.net)
  • What are the IUSR and IWAM accounts for in IIS? (Serverfault)