HOW TO: Run Applications Not in the Context of the System Account in IIS (319067)



The information in this article applies to:

  • Microsoft Internet Information Server 4.0
  • Microsoft Internet Information Services 5.0
  • Microsoft Internet Information Services version 5.1

This article was previously published under Q319067
We strongly recommend that all users upgrade to Microsoft Internet Information Services (IIS) version 6.0 running on Microsoft Windows Server 2003. IIS 6.0 significantly increases Web infrastructure security. For more information about IIS security-related topics, visit the following Microsoft Web site:

SUMMARY

This step-by-step article explains how to run a process under another identity other than the SYSTEM account.

back to the top

Default Installation

By default, on a computer that is running Windows NT 4.0 Server, or on a Windows NT 4.0 computer that has Internet Information Server 4.0 installed, Web sites are set to run in-process or under the SYSTEM account. You can set a Web site or virtual directory and its associated applications to run in separate memory space and, therefore, run under the IWAM_machine account.

By default, on computers that run the following, Web sites are set to run in medium pooled or under the IWAM_machine account:
  • Windows 2000 Server
  • Windows 2000 Professional with Internet Information Services 5.0
  • Windows XP Professional with Internet Information Services 5.1
You can set a Web site or virtual directory and its associated applications to run in either of the following ways:
  • Medium pooled or high isolation and, therefore, run under the IWAM_machine account.
  • Low (IIS Process) and, therefore, run under the SYSTEM account.
back to the top

Security Context

Processes are always executed in the context of an account. For example, Inetinfo.exe runs as a process that is launched by the SYSTEM account, therefore, Inetinfo.exe runs in the context of the SYSTEM account.

The SYSTEM account is not a typical user account: it does not have network access, therefore, applications that are running as SYSTEM cannot access network resources. For additional information about security context, click the article number below to view the article in the Microsoft Knowledge Base:

248187 HOWTO: Impersonate a User from Active Server Pages

NOTE: It is possible to run the IIS services (Inetinfo.exe) to run as a specified user account, however, that is an unsupported configuration.

For the application to access resources from a remote server, you can configure your Web site or application to run out-of-process and configure that process to run under a domain user account (by default, it is run under the IWAM_machine account context). Therefore, you can assign the appropriate NTFS file system permissions for that domain account to the remote server.

back to the top

Configure and Run Out-of-Process

To configure an application to run out-of-process and then set that process to run under the identify of another account, follow the appropriate steps for your system:

Internet Information Services 5.0 and 5.1

  1. Click Start, point to Programs, select Administrative Tools, and then click Internet Services Manager.
  2. Expand the Server Name.
  3. Select and right-click the Web site that you want, and then click Properties.
  4. On the Home Directory tab, see the Application Protection drop-down list. By default, this is Medium (Pooled). Select Medium (Pooled), or select High if you want.
    NOTE: You can select Low(IIS Process) if you want to run it under the SYSTEM account.
  5. Click Apply.
  6. Close all the Properties dialog boxes, and then close Internet Services Manager.
  7. Open the Component Services console:
    Click Start, point to Programs , point to Administrative Tools, and then click Component Services.
  8. Expand the Component Service, expand Computers, expand My Computer, and then expand COM+ Applications folders.
  9. Locate the corresponding COM+ application that you have set to run in Medium or High Application Protection earlier for the Web application (for example, IIS-default Web site//Root/AppName), right-click that COM+ application, and then click Properties.
  10. On the Identity tab, click This user.
  11. Locate or type the domain\user ID and password that has the appropriate domain access to your network resource, and then click OK.

Internet Information Services 4.0

  1. Click Start, point to Programs, select Windows NT 4.0 Option Pack, point to Microsoft Internet Information Services, and then click Internet Services Manager.
    NOTE: Do not click HTML.
  2. Expand the Server Name.
  3. Select and right-click the Web site that you want, and then click Properties.
  4. On the Home Directory tab, see a check box for you to set Run in separate memory space (isolated process). By default, this is cleared (not checked).
  5. Click Apply.
  6. Close all the Properties dialog boxes, and then close Internet Services Manager.
  7. Click Start, point to Programs, click Windows NT 4.0 Option Pack, point to Microsoft Transaction Server, and then click Transaction Server Explorer.
  8. Expand the Microsoft Transaction Server, expand Computers, expand My Computer, and then expand Packages Installed folders.
  9. Locate the corresponding MTS package for your Web application that you have set to Run in separate memory space earlier in these steps (for example, IIS-default Web site//Root/AppName), right-click the MTS package, and then click Properties.
  10. On the Identity tab, click This user, locate or type the domain\user ID and password that has the appropriate domain access to your network resource, and then click OK.
  11. Stop and start IIS Services.
back to the top

REFERENCES

For more information, see the following books:
  • Designing Secure Web-Based Applications for Microsoft Windows 2000, by Microsoft Press.
  • Programming Windows Security, by Addison Wesley.
For additional information, click the following article numbers to view the articles in the Microsoft Knowledge Base:

207671 HOW TO: Access Network Files from IIS Applications

248187 HOWTO: Impersonate a User from Active Server Pages

277329 Cannot Access Network Resources in Application_OnEnd or Session_OnEnd Events

back to the top

Modification Type:MinorLast Reviewed:6/23/2005
Keywords:kbhowto kbHOWTOmaster KB319067