I keep setting up my app pool to use the network service user, but I don't even know why. In IIS7 the default is set to the ApplicationPoolId. There must be a good reason as to why Microsoft changed to this default. So is there a good reason that Umbraco users need to use the network service user?
Yeah, I figured that it would be security related. So, is there any reason not to use the AppPoolIdentity for Umbraco? I don't see any, maybe I should just try it.
I think it's only a permission setting, I'm not sure if Umbraco has a hardcoded network service "connection" in code. So give the right permissions to the AppPoolIdentity and it could work.
Because I have multiple clients hosted on my server, I always make unique "Worker" accounts and assign that to the pool. Even though the risk isn't enormous, sharing the same account over multiple sites / pools still isn't best practice - just like it wasn't during the classic ASP days (good times... so easy to hack a shared hosting environment if they just re-used the IUSR account).
So if I have 2 clients with 3 sites each. I create the following accounts:
Client1.Worker (added to the "IIS_WPG" group, removed from all other groups) Client1.Guest (removed from all groups) Client2.Worker (etc) Client2.Guest (etc)
Then imagine the folder structure for one site is something like the following:
D:\Web\client1site1.com - Client1.Worker is given "Modify" access to this folder and all its children D:\Web\client1site1.com\OtherFolders - whatever other folders are required to support the site, such as logging D:\Web\client1site1.com\Public - the exposed web root for this site. Client1.Guest is given "Read & Execute" permission only to this folder and its children.
The other sites follow the same pattern etc. (Note: The "Web" folder has all permissions removed except Administrators and System, who have complete access).
Then within IIS, each client has their own App Pool. I apply the relevant Worker account to the app pool identity, and the appropriate Guest account to each site's annonymous access account.
Finally (and optionally), I apply SQL Server permissions by giving the Worker account db owner access to the relevent umbraco databases. I then update the connection strings in web.config to use Integrated Security instead of passing the credentials in plain text (I wish the umbraco installer supported this option!).
Why use the network service user?
I keep setting up my app pool to use the network service user, but I don't even know why. In IIS7 the default is set to the ApplicationPoolId. There must be a good reason as to why Microsoft changed to this default. So is there a good reason that Umbraco users need to use the network service user?
This is only since IIS7.5 that AppPoolIdentiy is default.
More info on why this change: http://blogs.msdn.com/b/vijaysk/archive/2009/02/13/goodbye-network-service.aspx
in short: it's for better security
Yeah, I figured that it would be security related. So, is there any reason not to use the AppPoolIdentity for Umbraco? I don't see any, maybe I should just try it.
I think it's only a permission setting, I'm not sure if Umbraco has a hardcoded network service "connection" in code. So give the right permissions to the AppPoolIdentity and it could work.
Hi guys,
Hope the CG headaches have worn off ;-) It's pretty hot in the UK so getting back in to work mode has been hard.
Does the AppPoolIdentity 'user' actually exist though? It would need to be given access to the file store.
I guess you create a new Windows user, run your app pool under that account and give it access to the file store.
This would be like using Network Service but you would have more flexibility about it's permissions
jay
<long post>
Because I have multiple clients hosted on my server, I always make unique "Worker" accounts and assign that to the pool. Even though the risk isn't enormous, sharing the same account over multiple sites / pools still isn't best practice - just like it wasn't during the classic ASP days (good times... so easy to hack a shared hosting environment if they just re-used the IUSR account).
So if I have 2 clients with 3 sites each. I create the following accounts:
Then imagine the folder structure for one site is something like the following:
The other sites follow the same pattern etc. (Note: The "Web" folder has all permissions removed except Administrators and System, who have complete access).
Then within IIS, each client has their own App Pool. I apply the relevant Worker account to the app pool identity, and the appropriate Guest account to each site's annonymous access account.
Finally (and optionally), I apply SQL Server permissions by giving the Worker account db owner access to the relevent umbraco databases. I then update the connection strings in web.config to use Integrated Security instead of passing the credentials in plain text (I wish the umbraco installer supported this option!).
</long post>
is working on a reply...