Configure Application Pool Identity The identity of an application pool is the name of the service account under which the application pools worker process runs. By default, application pools operate under the Network Service user account, which has low-level user access rights. You can configure application pools to run under the Local System user account, which is an account with more user rights than the Network Service or Local Service user accounts. However, be mindful that running an application pool under an account with increased user rights presents a high security risk. Requirements
Recommendation As a security best practice, log on to your computer using an account that is not in the Administrators group, and then use the Run as command to run IIS Manager as an administrator. At the command prompt, type runas /user:administrative_accountname mmc %systemroot%\system32\inetsrv\iis.msc. Procedures By default, application pools operate under the Network Service user account, which has low-level user access rights. Consequently, this account provides better security against attackers or malicious users who might attempt to take over the computer on which the World Wide Web Publishing Service (WWW service) is running. The Local Service user account has low access rights as well, and is useful for situations that do not require access to resources on remote computers. You can, however, configure application pools to run under the Local System user account, which is an account with more user rights than the Network Service or Local Service user accounts.
|