Recently, I was handed a project that requires I follow a few steps that I'm not quite used to. Generally, when setting sites up on a Windows Server with IIS, I would just install IIS, let it do its thing, and go from there... this set up is a bit different, however.
- Windows Server 2012
- IIS 8.0
- .NET 4.5 WebAPI 2 Application
- Application must be installed into a "Private Applications" folder. This folder has very limited permissions and just about any permission necessary has to be added exclusively.
- Application must run on IIS as an application underneath the Default Web Site, using an AppPool as an application-specific domain user: "DOMAIN\AppUser"
- After the initial installation of the application, IIS begins to throw 401.3 Errors. A trace has revealed that this is caused specifically by "NT AUTHORITY\IUSRS" not having access to the application folders (even though the apppool is being told to run under "DOMAIN\AppUser").
Of course, the first thing I tried was adding "NT AUTHORITY\IUSRS" to the folder with permissions to Read/Execute/List. This got everything to work! Unfortunately, this concerned me. If the architects are so concerned about security that they would make it a requirement that we install in-house applications into this "Private Applications" folder, wouldn't granting access to something so broad be a security concern, too? So, I decided to look into more options. I eventually found out about Physical Path Credentials within IIS. I set those credentials to match the credentials of the AppPool user (who already has access inherited down to that folder) and that worked, too!
- Grant IUSRS permissions on the directory. Call it a day.
- or -
- Set the Physical Path Credentials to match the AppPool Credentials.
- Can anyone tell me why one of the possible solutions (listed above) would be better than the other if the effort is to keep the server and its directories as secure as possible?
- Am I just being paranoid in my concern about IUSRS being a broad, blind granting of permissions?
- Does any of these options come with repercussions I'm not aware of (assuming I'm an idiot)?