Under what context does my code run on IIS?

Posted: Aug 28, 2009  1 comments  

Average Rating

Tags
process model
Security

Share this Post

Following up on my last two blogs, we continue to notice that folks have difficulty properly configuring IIS in a secure manner, because they tend to over-open the security of their system, giving privileges to both the "request identity" and the "process identity" that are above what are required for secure and reliable applications. 

Our security guru Nazim wrote a great article on securing IIS here:  http://learn.iis.net/page.aspx/583/securing-content-in-iis-through-file-system-acls 

I thought I would briefly slice some of his content in a different view.  Basically, for each kind of module or content, what privileges should I be giving?  So let's take a brief stab (with great credit to Nazim and the work he did).  The 3 permissions you may need to give to identities for your content are:  Read/List Folder Contents/Execute

If you're running into trouble with this, be sure to use AuthDiag (part of the IIS Diagnostics Toolkit) to understand this further ... http://www.microsoft.com/downloads/details.aspx?familyid=9bfa49bc-376b-4a54-95aa-73c9156706e7&displaylang=en 

Here is the breakdown: 

Static files and Scripts (.html, jpg, .php, .asp, .stm)

  • Request identity needs READ & List Folder Contents so that your users can get the content
  • Process identity MAY need READ (but depends on the way the handler works) so that the Script Handler code can open/parse the files

Script Handlers (asp.dll, php.dll) - this is the HTTP module or ISAPI module, not the scripts themselves

  • Process identity needs READ to load the module so that the worker process can load the module

CGI's (.exe or .com files)

  • Request identity needs READ & Execute  (never allow Write and Execute access to the same folder!) so the CGI handler can run the executable
  • Process identity needs READ & List Folder Contents

ISAPI Filters

  • Process identity needs READ so the filter can be loaded by the worker process

ISAPI Extensions

  • Process identity needs READ so the extension can be loaded by the worker process

Native IIS Modules (IIS 7 and above)

  • Process identity needs READ  so the module can be loaded by the worker process

Again, as a reminder, depending on your operating system and process model, the "process identity" is different:  http://blogs.iis.net/davcox/archive/2009/08/12/what-is-my-iis-code-running-as.aspx

Dave