How to Limit Application Pool Permissions

The Problem:

Our company has a lot of data, and a lot of applications.  Sometimes we want to give an application access to a folder of data, but only that folder.  Perhaps we only want to permit read access, and deny write access.  This is simple enough if the application is a desktop application on a domain machine; we simply update role memberships for the application’s user, and then the application has access to the data that it needs.

But what if our application is a web app?  How can we control application pool permissions to file resources?

The Solution:

Control Application Pool Permissions: Run as a Controlled User

Because each app runs within an App Pool, and an App Pool is an actual Windows process that is somewhat managed by IIS itself, we can configure individual App Pools to run under specific users.  We then reassign apps to run under those app pools, and voila: the apps are then running under the desired user.  In this way we can control application pool permissions.

This can be useful if apps A, B, and C need access to File Server X, and app D needs access only to File Server Y.  Access control can then be controlled on a user level, effectively controlling access for the apps.

On that note, it may be useful to have your system administrator create users specifically for these app pools.

To run an app pool under a specific user:

  • In IIS Manager, visit the Application Pools
  • Right click on the App Pool that you wish to run under a specific user, and click Advanced Settings
  • Click the Ellipses (“…”) next to the Identity property value
  • Choose Custom Account and click Set
  • Provide a username and password for the app pool to use:
  • Click OK

Read more