How Do I Determine the Security Account that IIS Uses to Run My Web Site?
There is a big difference between classic ASP and ASP.NET applications when it comes to determining the user's context that IIS is running under, so this FAQ is divided in two sub sections that explain how to determine the account that IIS uses:
By default, for a Web site that allows anonymous access, this account is called IUSR_MachineName where MachineName is the name of your computer. However, when you are using a security mechanism in IIS other than Anonymous Access, you manually changed the account that IIS uses or you're running your Web site " Out Of Process", you're likely to encounter another user account. The following table lists the possible user accounts that IIS is using in various scenario's:
|The Web site or Virtual Directory / Application is configured for Anonymous Access
|The Web site or Virtual Directory / Application is configured for Anonymous Access, but runs out of process (The Application Protection is set to High in the Home Directory or Virtual Directory tab of your Web application)
|The Web site or Virtual Directory / Application is configured for Basic Authentication or Integrated Windows Authentication
|The account you used to log on to your Web application
|The Web site or Virtual Directory / Application is configured for Anonymous Access, but you manually changed the account used for anonymous access
|The account you specified
To find out how your system is configured, follow these steps:
- Start the Internet Information Services management console, which you'll find the under Administrative Tools which in turn you'll find either directly on the Start Menu, or in the Windows Control Panel.
Figure 1: The Internet Information Services MMC snap-in
- Expand the tree in the left hand pane until you see Default Web Site. If you're configuring another Web site, or a Virtual Directory / Application, locate that one instead. This article assumes you're configuring the Default Web Site, so make sure you adjust any steps to match your situation if necessary.
- Right-click the Default Web Site in the tree at the left and choose Properties.
- Open the Directory Security tab and then click the Edit... button in the Anonymous access and authentication control section of the dialog. You'll see a screen similar to this one appear:
Figure 2: The Authentication Methods dialog in IIS for the Default Web Site
If Anonymous access is checked (as in the screen shot above), the user name you see in the User name field is the account that IIS is using. If Anonymous access is not checked, and Basic and / or Integrated Windows authentication are checked, the account you use to log on to your Web site is used by IIS. Note that when Anonymous access is enabled, it doesn't really matter whether Basic and or Integrated authentication are checked as well; the account that IIS is using will still be the anonymous, or IUSR_MachineName, account.
- Finally you have to check whether your site is running Out of Process. To do so, close the Authentication Methods dialog, and switch to the Home Directory tab on the Default Web Site Properties dialog:
Figure 3: The Home Directory tab of the Default Web site Properties dialog
If Application Protection is set to High (Isolated ) and you are using Anonymous Access, the account that IIS is using is the IWAM_MachineName account. In all other scenario's, IIS is using the account you determined in the previous step.
For ASP.NET, things are a bit different. By default, ASP.NET will run under a special account called ASPNET. This account is a "least privileged" account which means it's pretty restricted in the things it can do on your system. To make things a bit more confusing, on Windows Server 2003, an account called "Network Service" is used by default instead of the ASPNET account.
So, whether you are using Anonymous Access or Basic / Integrated security, the account is always the ASPNET or Network Service account. However, you can change this by modifying the Web.Config file for the application. To make the change, you can add an <identity impersonate="true" /> to the <system.web> section. If you add the element, IIS will impersonate the current user and use that account instead of the ASPNET account. This means that with Anonymous Access enabled, this account is the anonymous account. Usually, this will be the IUSR_MachineName account, but check out step 4 of the instructions for classic ASP to find out whether that is true or not in your situation.
If you're not using Anonymous Access, but Basic or Integrated Security instead, the account that is used is the one that the current user is logged on with. You can also explicitly specify an account that you want to use by setting the userName and password attributes of the <identity> element.
The following table lists the various possibilities. The first column determines whether or not impersonation has been enabled in the Web.Config file. The second and third column list the options for Anonymous Access and no Anonymous Access respectively:
|No Anonymous Access (Basic, Integrated etc)
|ASPNET or Network Service account
|ASPNET or Network Service account
|The authenticated user
|Enabled with a specified user account
|The specified account
|The specified account
The following articles provide more and detailed information about configuring security in ASP.NET:
- Authentication in ASP.NET: .NET Security Guidance
- How To Create a Custom Account to Run ASP.NET
- <identity> Element
- Improving Web Application Security: Threats and Countermeasures
- Building Secure ASP.NET Applications: Authentication, Authorization, and Secure Communication
Where to Next?
Wonder where to go next? You can post a comment on this article.
Links in this Document
Talk Back! Comment on Imar.Spaanjaars.Com
I am interested in what you have to say about this article. Feel free to post any comments, remarks or questions you may have about this article. The Talk Back feature is not meant for technical questions that are not directly related to this article. So, a post like "Hey, can you tell me how I can upload files to a MySQL database in PHP?" is likely to be removed. Also spam and unrealistic job offers will be deleted immediately.
When you post a comment, you have to provide your name and the comment. Your e-mail address is optional and you only need to provide it if you want me to contact you. It will not be displayed along with your comment. I got sick and tired of the comment spam I was receiving, so I have protected this page with a simple calculation exercise. This means that if you want to leave a comment, you'll need to complete the calculation before you hit the Post Comment button.
If you want to object to a comment made by another visitor, be sure to contact me and I'll look into it ASAP. Don't forget to mention the page link, or the Doc ID of the document.