Should I use IUSRS or Physical Path Credentials?

Question

Recently, I was handed a project that requires I follow a few steps that I'm not quite used to. Generally, when setting sites up on a Windows Server with IIS, I would just install IIS, let it do its thing, and go from there... this set up is a bit different, however.

Environment Info:

  • Windows Server 2012
  • IIS 8.0
  • .NET 4.5 WebAPI 2 Application

Requirements:

  • Application must be installed into a "Private Applications" folder. This folder has very limited permissions and just about any permission necessary has to be added exclusively.
  • Application must run on IIS as an application underneath the Default Web Site, using an AppPool as an application-specific domain user: "DOMAIN\AppUser"

Problems:

  • After the initial installation of the application, IIS begins to throw 401.3 Errors. A trace has revealed that this is caused specifically by "NT AUTHORITY\IUSRS" not having access to the application folders (even though the apppool is being told to run under "DOMAIN\AppUser").

Discovery:

Of course, the first thing I tried was adding "NT AUTHORITY\IUSRS" to the folder with permissions to Read/Execute/List. This got everything to work! Unfortunately, this concerned me. If the architects are so concerned about security that they would make it a requirement that we install in-house applications into this "Private Applications" folder, wouldn't granting access to something so broad be a security concern, too? So, I decided to look into more options. I eventually found out about Physical Path Credentials within IIS. I set those credentials to match the credentials of the AppPool user (who already has access inherited down to that folder) and that worked, too!

Possible Solutions:

  1. Grant IUSRS permissions on the directory. Call it a day.

- or -

  1. Set the Physical Path Credentials to match the AppPool Credentials.

Question(s):

  • Can anyone tell me why one of the possible solutions (listed above) would be better than the other if the effort is to keep the server and its directories as secure as possible?
  • Am I just being paranoid in my concern about IUSRS being a broad, blind granting of permissions?
  • Does any of these options come with repercussions I'm not aware of (assuming I'm an idiot)?

Show source
| security   | .net   | iis   | asp.net-web-api2   | iis-8   2017-01-06 17:01 1 Answers

Answers ( 1 )

  1. 2017-01-06 22:01

    You can grant access to the folder using the IIS app pool you setup. When you set the security on the folder change the search location from the entire network to local computer and search for 'iis apppool\defaultapppool' and change defaultapppool to whatever your app pool name is in IIS. You app pool should only need read, folder list, and execute. Also, you may need to go to the anonymous authentication in IIS and click edit and change that to pass through using app pool credentials and not anonymous. If you don't change that, it will still use IUSRS for anonymous requests.

◀ Go back