IIS 7 permissions issue when trying to isolate my web application

2
votes

I'm trying to set up permissions for my web application running on IIS 7 so that other web applications did not have any access to it.

I first set it up to run under my own application pool that I named MyAppsPoolName2, as ApplicationPoolIdentity:

enter image description here

The anonymous authentication is enabled and set up to use app pool identity:

enter image description here

After that I configure the ACL permissions as such:

The root folder for my web application: "C:\inetpub\www_test1" is set up with the following permissions:

  • Allow FILE_GENERIC_READ to IIS AppPool\MyAppsPoolName2
  • Deny FILE_ALL_ACCESS to IUSR
  • Deny FILE_ALL_ACCESS to IIS_IUSRS

So after I install & start my web site in the IIS, I get the following error:

HTTP Error 500.19 - Internal Server Error The requested page cannot be accessed because the related configuration data for the page is invalid.

enter image description here

Any idea how to fix this?

1
asp.netsecurityiisiis-7permissions
Does the web.config file in the error msg have the permissions you listed? Can you show a PowerShell output of the ACL like: PS > Get-Acl C:\Inetpub\www_test1 | fl Also, if you remove your DENY permissions does it work then? (I believe the AppPoolIdentities are part of the IIS_IUSRS group and DENY takes precedence over ALLOW)Brock Hensley
@dirt: I don't think web.config has anything to do with it. As the screenshot shows it can't even read it. So I don't know how you'd list those permissions in a web.config? As for the powershell output then I get an error, Get-Process : Cannot find a process with the name "C:\Inetpub\www_test1". Verify the process name and call the cmdlet again.ahmd0
@dirt: And yes, if I remove both deny permissions, it works just fine -- but that defeats the purpose of what I'm trying to achieve...ahmd0
That is your issue; as the group deny entry is working as intended, the appPool has no permissions to read your files (it starts by reading your web.config file, thus the file being listed in the error screenshot you provided). You may want to rethink what you are trying to accomplish.Brock Hensley

1 Answers

0
votes

I haven't tested this specifically, but I believe it will work.

Leave your application pool configured to use the AppPool Identity. Change your Anonymous User Identity to use an account that you create. Grant read permissions on the web.config to the AppPool Identity and deny access to the anonymous user identity.

This should give you the AppPool Identity for the worker process's process token, which I believe will be effective when the web.config file is read. During requests, the Anonymous User will be used as the thread token which will deny access to the web.config file.

You could also just rely on the fact that IIS will not serve up the web.config files by default.