Application Security

Previous page
Table of content
Next page

Writing to the event log does require modification of the rights under which the web service runs. Among the new features of IIS6 are two new built-in accounts for worker processes called Network Service and Local Service. In previous versions of IIS, the worker processes for IIS ran under the Local System account. The Network Service account is the default account for worker processes in IIS to run. Network Service is more restrictive than the Local System account, and Local Service is more restrictive than Network Service. A custom user account could be created that caters to the specific functional and security needs of the application as well.

To configure an application to run under a different account, you create a new application pool and set it to run under the credentials of the Local System account.

  1. Open the Computer Management Microsoft Management Console (MMC) snap-in by choosing Start | Administrative Tools.

  2. Open the Internet Information Services (IIS) Manager node, and then open the Application Pools folder node. All the defined application pools should be listed as icons in the tree subordinate to the Application Pools folder. An application pool named DefaultAppPool should exist; if it is expanded, all the web sites that use it will be listed below it, as shown in Figure 15-12.

    click to expand
    Figure 15-12: Applications using DefaulAppPool shown in the Computer Management MMC snap-in

  3. The Default Web Site that is created when IIS 6 is installed uses DefaultAppPool. As seen in Figure 15-12, the Default Web Site is listed as one of the many web applications using the DefaultAppPool. To set the application pool that a web site uses, open the Properties page for the web instance or virtual directory by right- clicking on the node and selecting Properties.

  4. Select the Home Directory tab for a web instance, or the Virtual Directory tab for the virtual directory. In the Home Directory tab, the Application Pool combo box shown in Figure 15-13 displays the available application pools that can be selected.

    click to expand
    Figure 15-13: Home Directory tab for the Default Web Site Properties page

    The Events web service is running under a virtual directory called myPortal, which is located in the Default Web Site. The virtual directory myPortal was set to use DefaultAppPool, which runs under the credentials of the Network Service account. When the Events web service attempts to write to the event log, it will fail because the Network Service account does not have adequate rights to write to the application event log. If the Events web service were running on a previous version of IIS, it would write to the application event log without any problems. To solve the access problem, a new application pool will be created that uses the Local System account, and myPortal will be set to use the new application pool.

  5. Right-click the Application Pools icon in the Computer Management MMS and choose New | Application Pool.

  6. In the Add New Application Pool dialog box, shown in Figure 15-14, you can see that the Application Pool ID is set to webservice using LocalSystem. The default settings for a new application pool will be used.

    click to expand
    Figure 15-14: Add New Application Pool dialog box

  7. Click the OK button, and the new application pool will be created.

Here’s how to change the identity of the application pool webservice using LocalSystem:

  1. Open the Properties window by right-clicking the newly created node labeled webservice using LocalSystem in the Computer Management MMC under the Application Pools node and choosing Properties.

  2. In the Properties window, choose the Identity tab and select Local System from the Predefined security account selection, as shown in Figure 15-15.

    click to expand
    Figure 15-15: Set the identity for the application pool

  3. Click OK or Apply. A box will appear warning you of the dangers of running an application pool under the Local System. If you’re concerned about the web service running under the Local System account, you can configure a user account that betters suits your security requirements and allows the web service to write to the application event log.

After the application pool is created, the virtual directory, myPortal, may be set to use the webservice using LocalSystem application pool. Open the Properties window for myPortal, and on the Directory tab, select the new application pool, as shown in Figure 15-16.

click to expand
Figure 15-16: Selecting the new application pool webservice using LocalSystem for myPortal



Previous page
Table of content
Next page
IIS 6(c) The Complete Reference
IIS 6: The Complete Reference
ISBN: 0072224959
EAN: 2147483647
Year: 2005
Pages: 193
Authors: Hethe Henrickson, Scott Hofmann
BUY ON AMAZON
Database Modeling with MicrosoftВ® Visio for Enterprise Architects (The Morgan Kaufmann Series in Data Management Systems)
CISSP Exam Cram 2
SQL Tips & Techniques (Miscellaneous)
MySQL Cookbook
An Introduction to Design Patterns in C++ with Qt 4
Microsoft Office Visio 2007 Step by Step (Step By Step (Microsoft))
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy