microsoft press internet information services iis 70 resource kit phần 5 ppsx

302 Part III: Administration

■ Customization You can create a new application pool when an application requires

different application pool settings. Such a situation arises if you have an old application

that must run in the Classic process model, and others must run in Integrated mode.

(Integrated mode is discussed in Chapter 11.) In IIS 7.0, the ASP.NET Integration mode

and .NET Framework version are configurable at the application pool level. In addition,

creating a new application pool allows you to configure a unique set of worker process

settings (such as the application pool recycling interval or queue size) that are different

from the common application pool. You might also want to isolate an application

based on application types. For example, you might want different application pools for

ASP and ASP.NET.

Note Although IIS 7.0 supports side-by-side execution of applications using different

versions of the .NET Framework, you should understand that different .NET Framework

applications require different application pools because each application pool is assigned to

only one .NET Framework run-time version.

Adding a New Application Pool

To use IIS Manager to create a new application pool, expand the IIS computer node in the

Connections pane and navigate to the Application Pools node. Right-click the Application

Pools node and select Add Application Pool. Alternatively, click Add Application Pool in the

Actions pane. The result is shown in Figure 10-4.

Figure 10-4 Adding a new application pool by using IIS Manager.

Note When using IIS Manager to add an application pool, select the Start Application Pool

Immediately check box if you want to start the application pool right after creating it.

When an application picks up a request from an application pool which is not running, IIS 7.0

returns a 503 HTTP “The service is unavailable” error to the client browser.

After you have created an application pool, you can either create a new application to run in

the new application pool or assign the new application pool to an existing application. To

Chapter 10: Managing Applications and Application Pools 303

assign an application pool to an existing application by using IIS Manager, expand the IIS

computer node in the Connections pane and then expand the Site node in the tree listing.

Navigate to the desired application and then click Basic Settings in the Actions pane. Click the

Select button to choose the new application pool from the list of available application pools,

as shown in Figure 10-5.

Figure 10-5 Assigning an application pool to an existing application by using IIS Manager.

Caution Assigning a new application pool to or changing the application pool for an

application that is running may end up loading the application in the new worker processes

for the newly assigned application pool, but application details or variables in the old worker

process are not visible to the new worker process. The application will continue processing

existing requests in the old worker process but will not receive any additional requests after

the changes are applied and are detected by the original worker process.

Use the following Appcmd syntax to create a new application pool.

appcmd add apppool /name:string /managedPipelineMode:enum /managedRuntimeVersion:string

To set the properties on an existing application pool, use this syntax.

appcmd set apppool ApppoolName /managedPipelineMode:enum /managedRuntimeVersion:string

Table 10-5 describes the parameters for ADD APPPOOL or SET APPPOOL syntaxes.

Table 10-5 Syntax for Appcmd to Configure Application Pool Properties

Parameter Description

name The name of the new application pool. Required to add an

application pool.

AppPoolName The application pool name. Required when editing an existing

application pool.

managedRuntimeVersion Specifies the .NET run-time version for the application pool. Can

be “v1.1”, “v2.0”, or “” for no Common Language Runtime (CLR).

Future versions of the .NET Framework will support new

versions strings. The default is “v2.0”.

managedPipelineMode The ASP.NET integration mode for the application pool. Values

are “Classic” or “Integrated”. Default is “Integrated”.

304 Part III: Administration

The following command creates a new application pool with the name “Fabrikam Stock”.

appcmd add apppool /name:"Fabrikam Stock"

The output, shown in the following syntax, indicates a new application pool object has been

added to the configuration store.

APPPOOL object "Fabrikam Stock" added

To change the new application pool’s basic settings, such as the process model and the .NET

run-time version, use the SET command. The following command reconfigures the newly

created “Fabrikam Stock” application pool to run on .NET run-time version 1.1 and changes

the process model to Classic ISAPI mode.

appcmd set apppool /apppool.name:"FabrikamStock"

/managedRuntimeVersion:"v1.1" /managedPipelineMode:"Classic"

Note To enable support for .NET Framework version 1.1, you need to install the .NET

Framework 1.1. By design, when it is installed, a new application pool named as ASP.NET 1.1 is

created. This new application pool is configured to run in the Classic worker process model with

the .NET Framework 1.1 run time. You can learn more about ASP.NET versioning in Chapter 11.

Finally, when the new application pool is ready, you can either create a new application to

run on the application pool or assign the application pool to any existing application.

For example, the following syntax configures the existing “Stock” application to run in the

“Fabrikam Stock” application pool.

appcmd set app "Fabrikam HR/Stock"

/applicationPool:"Fabrikam Stock"

Caution When using Appcmd to set the application pool for an application, the command

line tool does not verify if the specified application pool exists in the configuration system.

If the application pool does not exist, the application will fail to load at run time.

When adding a new application pool, the configuration system creates a new application

pool element under the <applicationPools> section in the applicationHost.config file.

The element includes the name of the application pool, the worker process model, and

the process identity if it is different from the default settings. The following shows the

<applicationPools> configuration of the newly created Fabrikam Stock application pool

in .NET Framework version 1.1 run time.

<applicationPools>

<add name="DefaultAppPool" />

<add name="Classic .NET AppPool" managedPipelineMode="Classic" />

<add name="ASP.NET 1.1" managedRuntimeVersion="V1.1"

Chapter 10: Managing Applications and Application Pools 305

managedPipelineMode="Classic" />

<add name="Fabrikam Stock" managedRuntimeVersion="V1.1"

managedPipelineMode="Classic" />

<applicationPoolDefaults>

<processModel identityType="NetworkService" />

</applicationPoolDefaults>

</applicationPools>

When you assign a new application pool to an existing application, the <application> element

inside <site> element is updated by IIS Web core. For more information, see the section

titled “Managing Web Applications” earlier in this chapter.

Managing Application Pool Identities

You can configure the identity under which worker processes in the application pool will run

by assigning an account to the application pool. Application pool identity configuration is

an important aspect of security in IIS 7.0, because it determines the identity of the worker

process when the process is accessing resources. In IIS 5.0, the process runs under the

LocalSystem account. That has significant security implications, because the user account has

high access privileges. This changed in IIS 6.0 with the introduction of an application pool

for which NetworkService is the default application pool identity. In IIS 7.0, the predefined

worker process identities are the same as for IIS 6.0. Table 10-6 illustrates the built-in

application identities in IIS 7.0.

On top of built-in accounts, you can create a custom user account to run the worker process

in the context of the custom user account. Chapter 14 covers this in detail. You will learn

more about configuring a custom account as the application pool identity in the section titled

“Configuring Application Pool Identity” later in this chapter.

Table 10-6 Built-In Application Pool Identities

Identity Description

LocalSystem LocalSystem is a built-in account that has administrative privileges on

the server. It can access both local and remote resources. The account

technically has access privileges similar to the system administrator

account with unrestricted access to local resources. Application pools

should never be assigned this identity. (If an application requires this

identity, it indicates that the application is poorly designed, and you

should strongly consider changing the application so that it does not

require administrative privileges.)

LocalService The LocalService account is a special built-in account that has reduced

privileges similar to an authenticated local user account. It does not

have network access privileges.

NetworkService NetworkService is a built-in account that has reduced privileges similar

to an authenticated local user account. It can access remote resources

as the machine account. This is the default account that IIS application

pools use, and it has limited access to resources on local and remote

computers.

306 Part III: Administration

Security Account Changes in IIS 7.0

In IIS 7.0, both the anonymous user account (IUSR_computername) and IIS_WPG user groups

have been removed and replaced by system built-in accounts rather than normal user and

group accounts. Using a built-in predefined user Security Identifier (SID) ensures that the

same common accounts exist in the remote IIS 7.0 computer. The built-in account initiative

also eliminates the need to manage issues with user credentials, such as password expiration.

The following built-in accounts are created during IIS 7.0 installation:

■ IUSR The default user account for anonymous identity; replaces IUSR_computername

account

■ IIS_IUSRS New built-in user group; replaces the IIS_WPG user group

Note IUSR_computername is created if the FTP Publishing Service (the legacy IIS 6.0 FTP)

role service is installed in Windows Server 2008.

On top of the security user and user group account changes, IIS 7.0 introduces two additional

enhancements related to application pool identity:

■ Application Pool Identity as Anonymous Account Designate the application pool

identity as the anonymous user account. (Simply set the userName in the anonymous￾Authentication configuration section to be blank. To learn about this new feature, see

Chapter 14.) The main advantage of configuring application pool identity as the anony￾mous user is that you do not have to manage security for a separate account.

■ Automatic IIS_IUSRS Membership In IIS 6.0, when you configure custom application

pool identity, the custom account must be a member of IIS_WPG, because this user

group has preconfigured access permissions and rights to start the worker process.

Similar access permissions and rights have been granted to the IIS_IUSRS user group in

IIS 7.0. However, the custom account does not need to be explicitly added to the

IIS_IUSRS group, because this is done implicitly by IIS 7.0. (The application pool

identity is not actually added to the IIS_IUSRS group. The group SID is injected into the

worker process token at run time, so it acts as a member of IIS_IUSRS. No changes to

the local user database or Microsoft Active Directory directory service domain group

membership are made.)

To revert to IIS 6.0 behavior, you can configure manual IIS_IUSRS group membership.

This setting is per application pool, meaning that for the application pool with

manual group membership, you will need to explicitly add the custom account to the

IIS_IUSRS group. The following Appcmd syntax configures DefaultAppPool for

manual IIS_IUSRS group membership.

appcmd set apppool "DefaultAppPool" /processModel.manualGroupMembership:True

Chapter 10: Managing Applications and Application Pools 307

Direct from the Source: Using Application Pools to Sandbox

Applications

The application pool is the fundamental unit of isolation for IIS applications, because it

sandboxes the application code in a separate IIS worker process and allows sandboxing

external access from resources within the process by applying access control lists

(ACLs) to the application pool identity as well as granting or denying access to the appli￾cation pool identity. Using application pools makes it possible to achieve a more thor￾ough level of isolation between applications on the same server than is possible with any

other technique, including impersonation or ASP.NET partial trust sandboxing.

IIS 7.0 goes further, enabling the application pool to be effectively used for isolation

scenarios. It does this by automatically providing a unique account security identifier

(SID) for each application pool so that the SID can be used in securing the resources

with ACLs for that application pool. Windows Process Activation Service (also

known as WAS) automatically creates this SID and therefore does not require you

to create and use custom application pool identities. Moreover, IIS 7.0 also

automatically isolates the global server configuration, by generating filtered copy of

applicationHost.config configuration file for each application pool that contains only the

configuration applicable to the application pool and does not retain configuration for

other application pools such as their application pool definitions and identity information.

Combined with the increased worker process density, these improvements make it

easier than before to create truly sandboxed application environments through the use

of application pools.

Mike Volodarsky

IIS Core Program Manager

Configuring Application Pool Identity

Although NetworkService is an account with reduced access privileges, you might change

the worker process identity due to your business needs. For example, a security application

might require access to system resources for which NetworkService does not have the

necessary permissions. In this case, you can run the worker process from a custom account

with necessary access rights. Chapter 14 discusses managing application pool identity with

respect to security.

To use IIS Manager to configure application pool identity, expand the IIS computer node in

the Connections pane and navigate to the Application Pools node. In the Application Pools

display pane, select the application pool for which you want to change the identity account.

Then click Advanced Settings in the Actions pane. In the Process Model section of the

Advanced Settings dialog box, select the Identity property and then click the browse button

(…) to display the Application Pool Identity dialog box, shown in Figure 10-6.

308 Part III: Administration

Figure 10-6 Configuring application pool identity by using IIS Manager.

Caution When changing the application pool identity, IIS 7.0 shuts down the current

worker process if it is running and initiates a new worker process with the selected user identity.

This impacts the availability of the application, and session details are lost during the applica￾tion pool changes.

Use the following Appcmd syntax and the parameters shown in Table 10-7 to configure

application pool identity.

appcmd set apppool ApppoolName /processModel.identityType:enum

/processModel.userName:string /processModel.password:string

The following example changes the default worker process identity from NetworkService to

LocalService for the “Fabrikam Stock” application pool.

appcmd set apppool "Fabrikam Stock"

/processModel.identityType:LocalService

The identityType enumeration is case sensitive inside the configuration store. If you enter the

correct value, Appcmd executes the command successfully and returns output like this.

APPPOOL object "Fabrikam Stock" changed

If you enter an incorrect value, you will see the following error messages.

ERROR ( message:Unknown attribute "identityType".. Reason: Enum must

be one of LocalSystem, LocalService, NetworkService, SpecificUser. )

Table 10-7 Syntax for Appcmd to Configure Application Pool Identity

Parameter Description

ApppoolName This string represents the application pool name.

processModel.identityType The identity type represents either built-in accounts such as

LocalService, LocalSystem, NetworkService, or customer account

as SpecificUser for the application pool.

processModel.userName The user account name for the custom application pool identity.

processModel.password The user account password for the custom application pool

identity.

Chapter 10: Managing Applications and Application Pools 309

To configure a custom application worker process identity, enter SpecificUser as the identityType

attribute value. Then specify the user credentials by using the userName and password properties.

appcmd set apppool /apppool.name:"Fabrikam Stock"

/processModel.identityType:SpecificUser

/processModel.userName:"MyAppUsr"

/processModel.password:"passw@rd1"

The preceding example configures the MyAppUsr user account as the Fabrikam Stock

application pool identity and specifies the account password as passw@rd1.

IIS updates changes in application pool identity in the <applicationPools> section in the

applicationHost.config file. The element value includes the name of the application pool,

the worker process model, and the process identity, if it is different from the default settings.

The following shows the <applicationPools> configuration of the custom worker process

identity configured for Fabrikam Stock application pool.

<applicationPools>

...

<add name="Fabrikam Stock" managedRuntimeVersion="V1.1"

managedPipelineMode="Classic">

<processModel identityType="SpecificUser" userName="MyAppUsr"

password="[enc:AesProvider:oGSyoej3RKswi3gsrYarpbMQrx0rVIY6nFHkPmjQAhE=

:enc]/>

</add>

...

</applicationPools>

Advanced Application Pool Configuration

Though IIS 7.0 application pool configuration is similar to IIS 6.0, the configuration UI

has been reorganized together with the new IIS Manager. All settings are now visible and con￾figurable in the UI. Most configuration settings are the same as in IIS 6.0, such as application

recycle options and rapid failed protection. This section discusses some key configurations

that are new to IIS 7.0.

Enabling User Profile Loading

A typical Web application includes both reading and writing data in the application logic, and

typically Web applications require read and write access to the Windows temporary directory,

%Temp%. Consider, for example, an ASP application uses a Microsoft Access database. In IIS 6.0,

by design, the operating system grants read and write access to the temporary directory to all

users, including the worker processes account, regardless of the process identity. Although this

default behavior in IIS 6.0 enables Web applications to run perfectly without any issues, it has

security implications, because all worker processes are sharing the same temporary directory.

To better address the security risk, IIS 7.0 grants you the ability to load the user account

profile during worker process startup. This provides a separate environment with different

temporary folders for each process identity. However, by default, the temporary directory of