Should I impersonate PHP via FastCGI?

I am installing the latest version of PHP onto IIS 7.5 via FastCGI, and all of the instructions say that FastCGI should impersonate the calling client by setting

 fastcgi.impersonate = 1

If my website will have this configuration

  • dedicated application pool
  • application pool identity of ApplicationPoolIdentity
  • anonymous authentication only (as IUSR)

why do I want to impersonate?

I come from an ASP.NET background, where the IUSR gets read-only permissions and the application pool identity gets any write permissions. Giving write access to the IUSR usually opens the door for WebDAV vulnerabilities. So I hesitate to let PHP run as the IUSR.

I can't find many people asking this question (1 | 2) so I think I must be missing something. Can someone clarify this for me?


Solution 1:

13 months later, I wanted to revisit my own question. In that time I have transferred a half dozen websites from IIS 6 to IIS 7.5 and configured them with my preferred method. All I can say is that the websites work, they haven't had any security issues (not that these are popular sites), and in my opinion the setup is more secure than what learn.iis.net recommends.

For posterity, here are the relevant settings. In the PHP INI:

cgi.force_redirect = 0
cgi.fix_pathinfo=1
fastcgi.impersonate = 0

In IIS:

  • Application Pool > Identity > ApplicationPoolIdentity
  • Website > Authentication > Anonymous Authentication > Specific User: IUSR

The NTFS permissions and where to apply them:

  • IUSR - Grant Read, Deny Write
    • The root directory of the IIS website. For example, in a Zend Framework project this would be the /public directory.
    • If your application uploads files and saves them in a public directory, you need to apply this permission to the temporary upload directory. This is because move_uploaded_file will preserve the permissions of the upload directory. This is the biggest drawback of this permissions setup that I've found.
  • ApplicationPoolIdentity (IIS AppPool\<<YourApplicationPoolName>>) - Grant Read & List
    • The root of your PHP application. For example, in a Zend Framework project this would be the entire project.
    • Any external libraries (Zend, Doctrine, etc.) included by your application that are not in the application folder.
  • ApplicationPoolIdentity - Grant Modify
    • Any location where your application will write such as upload_tmp_dir, session.save_path, and error_log.
    • Sometimes I need to add this permission to the root of the PHP application in my development environment to support things like Doctrine's auto-generation of proxies.
  • ApplicationPoolIdentity - Grant List
    • If your application is in a virtual directory, you will need to add this permission to the root of the website. This allows your application to read its parent web.config. For example, if your application root is http://example.com/MyPHPApp, set this permission on the example.com web directory. Specifically you only need to apply to "This folder and files", "within this container only".

I hope this helps anyone else who decides that the learn.iis.net instructions are not ideal.

Solution 2:

See: http://www.php.net/manual/en/install.windows.iis6.php

Impersonation and file system access

It is recommended to enable FastCGI impersonation in PHP when using IIS. This is controlled by the fastcgi.impersonate directive in php.ini file. When impersonation is enabled, PHP will perform all the file system operations on behalf of the user account that has been determinedby IIS authentication.

Per documentation, it simply permits fastcgi to act on behalf of the client using all same permissions (in your case to be what looks like the IUSR account). In other words, to perform all actions normally allowed to the client's (or anon's) own credentials. No more, no less. Without this set, I imagine poor fastcgi would be left crippled.