views:

1167

answers:

2

When an ASP.NET application is running under IIS6.0 in Windows 2003 Server with impersonation, what user account is relevant for deciding file read/write/execute access privileges? I have two scenarios where I am trying to understand what access to grant/revoke. I thought the most relevant user is probably the identity specified in the Application Pool, but that doesn't seem to be the whole story.

The first issue concerns executing a local batch file via System.Diagnostics.Process.Start()--I can't do so when the AppPool is set to IWAM_WIN2K3WEB user, but it works fine if it is set to the Network Service identity. I of course made sure that the IWAM user has execute rights on the file.

The second involves writing to a file on the local hard drive--I'd like to be able to prevent doing so via the access control list via folder properties, but even when I set up all users in the folder as "read" (no users/groups with "write" at all), our ASP.NET still writes out the file no problem. How can it if it doesn't have write access?

Google search turns up bits and pieces but never the whole story.

+1  A: 

what user account is relevant for [..] file read/write/execute access

As a rule: Always the user account the application/page runs under.

The IWAM account is pretty limited. I don't think it has permissions to start an external process. File access rights are irrelevant at this point.

If a user account (Network Service in your case) owns a file (i.e. has created it), it can do anything to this file, even if not explicitly allowed. Check who owns your file.

Process Monitor from Microsoft is a great tool to track down subtleties like this one.

Tomalak
Where is the IWAM account limited? How can I see/adjust these limitations?
Patrick Szalapski
>"Check who owns your file." If I'm writing a new file, this would be 'who owns the folder', right?
Patrick Szalapski
No. Owner of the file is the account who created it. Ownership is not inherited, this would defy the purpose.
Tomalak
The problem was with creating files, so I was focusing on the ACL of the folder to which I was writing. I always presumed that the account of the W3WP would be the owner of the files, and indeed it is. As stated below, I went with NETWORK SERVICE which seems to obey the ACL.
Patrick Szalapski
A: 

A bit more searching reveals that the IWAM user isn't that well documented and we should stick with NETWORK SERVICE or a manually-supplied identity if we want to specify permissions for that user.

Patrick Szalapski

related questions