DOCUMENT:Q319067 25-JUL-2002 [iis] TITLE :HOW TO: Run Applications Not in the Context of the System Accoun PRODUCT :Internet Information Server PROD/VER::4.0,5.0 OPER/SYS: KEYWORDS:kbHOWTOmaster ====================================================================== ------------------------------------------------------------------------------- The information in this article applies to: - Microsoft Internet Information Server version 4.0 - Microsoft Internet Information Services version 5.0 - Microsoft Internet Information Services version 5.1 ------------------------------------------------------------------------------- IN THIS TASK ------------ - SUMMARY - Default Installation - Security Context - Configure and Run Out-of-Process - REFERENCES SUMMARY ======= This step-by-step article explains how to run a process under another identity other than the SYSTEM account. Default Installation -------------------- By default, on a computer that is running Windows NT 4.0 Server, or on a Windows NT 4.0 computer that has Internet Information Server 4.0 installed, Web sites are set to run in-process or under the SYSTEM account. You can set a Web site or virtual directory and its associated applications to run in separate memory space and, therefore, run under the IWAM_machine account. By default, on computers that run the following, Web sites are set to run in medium pooled or under the IWAM_machine account: - Windows 2000 Server - Windows 2000 Professional with Internet Information Services 5.0 - Windows XP Professional with Internet Information Services 5.1 You can set a Web site or virtual directory and its associated applications to run in either of the following ways: - Medium pooled or high isolation and, therefore, run under the IWAM_machine account. - Low (IIS Process) and, therefore, run under the SYSTEM account. Security Context ---------------- Processes are always executed in the context of an account. For example, Inetinfo.exe runs as a process that is launched by the SYSTEM account, therefore, Inetinfo.exe runs in the context of the SYSTEM account. The SYSTEM account is not a typical user account: it does not have network access, therefore, applications that are running as SYSTEM cannot access network resources. For additional information about security context, click the article number below to view the article in the Microsoft Knowledge Base: Q248187 HOWTO: Impersonate a User from Active Server Pages NOTE: It is possible to run the IIS services (Inetinfo.exe) to run as a specified user account, however, that is an unsupported configuration. For the application to access resources from a remote server, you can configure your Web site or application to run out-of-process and configure that process to run under a domain user account (by default, it is run under the IWAM_machine account context). Therefore, you can assign the appropriate NTFS file system permissions for that domain account to the remote server. Configure and Run Out-of-Process -------------------------------- To configure an application to run out-of-process and then set that process to run under the identify of another account, follow the appropriate steps for your system: Internet Information Services 5.0 and 5.1: 1. Click Start, point to Programs, select Administrative Tools, and then click Internet Services Manager. 2. Expand the . 3. Select and right-click the Web site that you want, and then click Properties. 4. On the Home Directory tab, see the Application Protection drop-down list. By default, this is Medium (Pooled). Select Medium (Pooled), or select High if you want. NOTE: You can select Low(IIS Process) if you want to run it under the SYSTEM account. 5. Click Apply. 6. Close all the Properties dialog boxes, and then close Internet Services Manager. 7. Open the Component Services console: Click Start, point to Programs , point to Administrative Tools, and then click Component Services. 8. Expand the Component Service, expand Computers, expand My Computer, and then expand COM+ Applications folders. 9. Locate the corresponding COM+ application that you have set to run in Medium or High Application Protection earlier for the Web application (for example, IIS-default Web site//Root/AppName), right-click that COM+ application, and then click Properties. 10. On the Identity tab, click This user. 11. Locate or type the domain\user ID and password that has the appropriate domain access to your network resource, and then click OK. Internet Information Services 4.0: 1. Click Start, point to Programs, select Windows NT 4.0 Option Pack, point to Microsoft Internet Information Services, and then click Internet Services Manager. NOTE: Do not click HTML. 2. Expand the . 3. Select and right-click the Web site that you want, and then click Properties. 4. On the Home Directory tab, see a check box for you to set Run in separate memory space (isolated process). By default, this is cleared (not checked). 5. Click Apply. 6. Close all the Properties dialog boxes, and then close Internet Services Manager. 7. Click Start, point to Programs, click Windows NT 4.0 Option Pack, point to Microsoft Transaction Server, and then click Transaction Server Explorer. 8. Expand the Microsoft Transaction Server, expand Computers, expand My Computer, and then expand Packages Installed folders. 9. Locate the corresponding MTS package for your Web application that you have set to Run in separate memory space earlier in these steps (for example, IIS-default Web site//Root/AppName), right-click the MTS package, and then click Properties. 10. On the Identity tab, click This user, locate or type the domain\user ID and password that has the appropriate domain access to your network resource, and then click OK. 11. Stop and start IIS Services. REFERENCES ========== For more information, see the following books: - Designing Secure Web-Based Applications for Microsoft Windows 2000, by Microsoft Press. - Programming Windows Security, by Addison Wesley. Q248187 HOWTO: Impersonate a User from Active Server Pages Q277329 Cannot Access Network Resources in Application_OnEnd or Session_OnEnd Events Additional query words: ====================================================================== Keywords : kbHOWTOmaster Technology : kbiisSearch kbiis500 kbiis400 kbiis510 Version : :4.0,5.0 Issue type : kbhowto ============================================================================= THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY. Copyright Microsoft Corporation 2002.