302 Part III: ■ Administration Customization You can create a new application pool when an application requires different application pool settings Such a situation arises if you have an old application that must run in the Classic process model, and others must run in Integrated mode (Integrated mode is discussed in Chapter 11.) In IIS 7.0, the ASP.NET Integration mode and NET Framework version are configurable at the application pool level In addition, creating a new application pool allows you to configure a unique set of worker process settings (such as the application pool recycling interval or queue size) that are different from the common application pool You might also want to isolate an application based on application types For example, you might want different application pools for ASP and ASP.NET Note Although IIS 7.0 supports side-by-side execution of applications using different versions of the NET Framework, you should understand that different NET Framework applications require different application pools because each application pool is assigned to only one NET Framework run-time version Adding a New Application Pool To use IIS Manager to create a new application pool, expand the IIS computer node in the Connections pane and navigate to the Application Pools node Right-click the Application Pools node and select Add Application Pool Alternatively, click Add Application Pool in the Actions pane The result is shown in Figure 10-4 Figure 10-4 Adding a new application pool by using IIS Manager Note When using IIS Manager to add an application pool, select the Start Application Pool Immediately check box if you want to start the application pool right after creating it When an application picks up a request from an application pool which is not running, IIS 7.0 returns a 503 HTTP “The service is unavailable” error to the client browser After you have created an application pool, you can either create a new application to run in the new application pool or assign the new application pool to an existing application To Chapter 10: Managing Applications and Application Pools 303 assign an application pool to an existing application by using IIS Manager, expand the IIS computer node in the Connections pane and then expand the Site node in the tree listing Navigate to the desired application and then click Basic Settings in the Actions pane Click the Select button to choose the new application pool from the list of available application pools, as shown in Figure 10-5 Figure 10-5 Assigning an application pool to an existing application by using IIS Manager Caution Assigning a new application pool to or changing the application pool for an application that is running may end up loading the application in the new worker processes for the newly assigned application pool, but application details or variables in the old worker process are not visible to the new worker process The application will continue processing existing requests in the old worker process but will not receive any additional requests after the changes are applied and are detected by the original worker process Use the following Appcmd syntax to create a new application pool appcmd add apppool /name:string /managedPipelineMode:enum /managedRuntimeVersion:string To set the properties on an existing application pool, use this syntax appcmd set apppool ApppoolName /managedPipelineMode:enum /managedRuntimeVersion:string Table 10-5 describes the parameters for ADD APPPOOL or SET APPPOOL syntaxes Table 10-5 Syntax for Appcmd to Configure Application Pool Properties Parameter Description name The name of the new application pool Required to add an application pool AppPoolName The application pool name Required when editing an existing application pool managedRuntimeVersion Specifies the NET run-time version for the application pool Can be “v1.1”, “v2.0”, or “” for no Common Language Runtime (CLR) Future versions of the NET Framework will support new versions strings The default is “v2.0” managedPipelineMode The ASP.NET integration mode for the application pool Values are “Classic” or “Integrated” Default is “Integrated” 304 Part III: Administration The following command creates a new application pool with the name “Fabrikam Stock” appcmd add apppool /name:"Fabrikam Stock" The output, shown in the following syntax, indicates a new application pool object has been added to the configuration store APPPOOL object "Fabrikam Stock" added To change the new application pool’s basic settings, such as the process model and the NET run-time version, use the SET command The following command reconfigures the newly created “Fabrikam Stock” application pool to run on NET run-time version 1.1 and changes the process model to Classic ISAPI mode appcmd set apppool /apppool.name:"FabrikamStock" /managedRuntimeVersion:"v1.1" /managedPipelineMode:"Classic" Note To enable support for NET Framework version 1.1, you need to install the NET Framework 1.1 By design, when it is installed, a new application pool named as ASP.NET 1.1 is created This new application pool is configured to run in the Classic worker process model with the NET Framework 1.1 run time You can learn more about ASP.NET versioning in Chapter 11 Finally, when the new application pool is ready, you can either create a new application to run on the application pool or assign the application pool to any existing application For example, the following syntax configures the existing “Stock” application to run in the “Fabrikam Stock” application pool appcmd set app "Fabrikam HR/Stock" /applicationPool:"Fabrikam Stock" Caution When using Appcmd to set the application pool for an application, the command line tool does not verify if the specified application pool exists in the configuration system If the application pool does not exist, the application will fail to load at run time When adding a new application pool, the configuration system creates a new application pool element under the section in the applicationHost.config file The element includes the name of the application pool, the worker process model, and the process identity if it is different from the default settings The following shows the configuration of the newly created Fabrikam Stock application pool in NET Framework version 1.1 run time When you assign a new application pool to an existing application, the element inside element is updated by IIS Web core For more information, see the section titled “Managing Web Applications” earlier in this chapter Managing Application Pool Identities You can configure the identity under which worker processes in the application pool will run by assigning an account to the application pool Application pool identity configuration is an important aspect of security in IIS 7.0, because it determines the identity of the worker process when the process is accessing resources In IIS 5.0, the process runs under the LocalSystem account That has significant security implications, because the user account has high access privileges This changed in IIS 6.0 with the introduction of an application pool for which NetworkService is the default application pool identity In IIS 7.0, the predefined worker process identities are the same as for IIS 6.0 Table 10-6 illustrates the built-in application identities in IIS 7.0 Table 10-6 Built-In Application Pool Identities Identity Description LocalSystem LocalSystem is a built-in account that has administrative privileges on the server It can access both local and remote resources The account technically has access privileges similar to the system administrator account with unrestricted access to local resources Application pools should never be assigned this identity (If an application requires this identity, it indicates that the application is poorly designed, and you should strongly consider changing the application so that it does not require administrative privileges.) LocalService The LocalService account is a special built-in account that has reduced privileges similar to an authenticated local user account It does not have network access privileges NetworkService NetworkService is a built-in account that has reduced privileges similar to an authenticated local user account It can access remote resources as the machine account This is the default account that IIS application pools use, and it has limited access to resources on local and remote computers On top of built-in accounts, you can create a custom user account to run the worker process in the context of the custom user account Chapter 14 covers this in detail You will learn more about configuring a custom account as the application pool identity in the section titled “Configuring Application Pool Identity” later in this chapter 306 Part III: Administration Security Account Changes in IIS 7.0 In IIS 7.0, both the anonymous user account (IUSR_computername) and IIS_WPG user groups have been removed and replaced by system built-in accounts rather than normal user and group accounts Using a built-in predefined user Security Identifier (SID) ensures that the same common accounts exist in the remote IIS 7.0 computer The built-in account initiative also eliminates the need to manage issues with user credentials, such as password expiration The following built-in accounts are created during IIS 7.0 installation: ■ IUSR The default user account for anonymous identity; replaces IUSR_computername account ■ IIS_IUSRS New built-in user group; replaces the IIS_WPG user group Note IUSR_computername is created if the FTP Publishing Service (the legacy IIS 6.0 FTP) role service is installed in Windows Server 2008 On top of the security user and user group account changes, IIS 7.0 introduces two additional enhancements related to application pool identity: ■ Application Pool Identity as Anonymous Account Designate the application pool identity as the anonymous user account (Simply set the userName in the anonymousAuthentication configuration section to be blank To learn about this new feature, see Chapter 14.) The main advantage of configuring application pool identity as the anonymous user is that you not have to manage security for a separate account ■ Automatic IIS_IUSRS Membership In IIS 6.0, when you configure custom application pool identity, the custom account must be a member of IIS_WPG, because this user group has preconfigured access permissions and rights to start the worker process Similar access permissions and rights have been granted to the IIS_IUSRS user group in IIS 7.0 However, the custom account does not need to be explicitly added to the IIS_IUSRS group, because this is done implicitly by IIS 7.0 (The application pool identity is not actually added to the IIS_IUSRS group The group SID is injected into the worker process token at run time, so it acts as a member of IIS_IUSRS No changes to the local user database or Microsoft Active Directory directory service domain group membership are made.) To revert to IIS 6.0 behavior, you can configure manual IIS_IUSRS group membership This setting is per application pool, meaning that for the application pool with manual group membership, you will need to explicitly add the custom account to the IIS_IUSRS group The following Appcmd syntax configures DefaultAppPool for manual IIS_IUSRS group membership appcmd set apppool "DefaultAppPool" /processModel.manualGroupMembership:True Chapter 10: Managing Applications and Application Pools 307 Direct from the Source: Using Application Pools to Sandbox Applications The application pool is the fundamental unit of isolation for IIS applications, because it sandboxes the application code in a separate IIS worker process and allows sandboxing external access from resources within the process by applying access control lists (ACLs) to the application pool identity as well as granting or denying access to the application pool identity Using application pools makes it possible to achieve a more thorough level of isolation between applications on the same server than is possible with any other technique, including impersonation or ASP.NET partial trust sandboxing IIS 7.0 goes further, enabling the application pool to be effectively used for isolation scenarios It does this by automatically providing a unique account security identifier (SID) for each application pool so that the SID can be used in securing the resources with ACLs for that application pool Windows Process Activation Service (also known as WAS) automatically creates this SID and therefore does not require you to create and use custom application pool identities Moreover, IIS 7.0 also automatically isolates the global server configuration, by generating filtered copy of applicationHost.config configuration file for each application pool that contains only the configuration applicable to the application pool and does not retain configuration for other application pools such as their application pool definitions and identity information Combined with the increased worker process density, these improvements make it easier than before to create truly sandboxed application environments through the use of application pools Mike Volodarsky IIS Core Program Manager Configuring Application Pool Identity Although NetworkService is an account with reduced access privileges, you might change the worker process identity due to your business needs For example, a security application might require access to system resources for which NetworkService does not have the necessary permissions In this case, you can run the worker process from a custom account with necessary access rights Chapter 14 discusses managing application pool identity with respect to security To use IIS Manager to configure application pool identity, expand the IIS computer node in the Connections pane and navigate to the Application Pools node In the Application Pools display pane, select the application pool for which you want to change the identity account Then click Advanced Settings in the Actions pane In the Process Model section of the Advanced Settings dialog box, select the Identity property and then click the browse button (…) to display the Application Pool Identity dialog box, shown in Figure 10-6 308 Part III: Administration Figure 10-6 Configuring application pool identity by using IIS Manager Caution When changing the application pool identity, IIS 7.0 shuts down the current worker process if it is running and initiates a new worker process with the selected user identity This impacts the availability of the application, and session details are lost during the application pool changes Use the following Appcmd syntax and the parameters shown in Table 10-7 to configure application pool identity appcmd set apppool ApppoolName /processModel.identityType:enum /processModel.userName:string /processModel.password:string Table 10-7 Syntax for Appcmd to Configure Application Pool Identity Parameter Description ApppoolName This string represents the application pool name processModel.identityType The identity type represents either built-in accounts such as LocalService, LocalSystem, NetworkService, or customer account as SpecificUser for the application pool processModel.userName The user account name for the custom application pool identity processModel.password The user account password for the custom application pool identity The following example changes the default worker process identity from NetworkService to LocalService for the “Fabrikam Stock” application pool appcmd set apppool "Fabrikam Stock" /processModel.identityType:LocalService The identityType enumeration is case sensitive inside the configuration store If you enter the correct value, Appcmd executes the command successfully and returns output like this APPPOOL object "Fabrikam Stock" changed If you enter an incorrect value, you will see the following error messages ERROR ( message:Unknown attribute "identityType" Reason: Enum must be one of LocalSystem, LocalService, NetworkService, SpecificUser ) Chapter 10: Managing Applications and Application Pools 309 To configure a custom application worker process identity, enter SpecificUser as the identityType attribute value Then specify the user credentials by using the userName and password properties appcmd set apppool /apppool.name:"Fabrikam Stock" /processModel.identityType:SpecificUser /processModel.userName:"MyAppUsr" /processModel.password:"passw@rd1" The preceding example configures the MyAppUsr user account as the Fabrikam Stock application pool identity and specifies the account password as passw@rd1 IIS updates changes in application pool identity in the section in the applicationHost.config file The element value includes the name of the application pool, the worker process model, and the process identity, if it is different from the default settings The following shows the configuration of the custom worker process identity configured for Fabrikam Stock application pool