Low privileges IIS Application Pools

When you want to create a new application pool you probably want to do this to create an application pool with least privileges for the application that you are going to run with it.

This article describes how to create a user account for use in an IIS application pool. This article is useful when you get one of the following messages:

  • The identity of application pool is invalid, so the World Wide Web Publishing Service can not create a worker process to serve the application pool. Therefore, the application pool has been disabled.
  • The identity of application pool, is invalid. If it remains invalid when the first request for the application pool is processed, the application pool will be disabled. The data field contains the error number.

User account

There are two accounts types:

  1. Domain accounts
    • Useful when you run a web application on server A but it needs to access resource on another server within the domain. This account type can be created with the active directory users and computers management console on one of the domain controllers in your domain.
  2. Local accounts
    • Useful when the application is only needs access to local files or/and accesses resources out-side of the domain with its own credentials.

Create the account

  1. Create a user account and store its (complex) password at a ‘well known’ but secure location.
  2. Remove it from the User group.
  3. Add the user account to the IIS_WPG (IIS Worker Process Group) group on the web server where you are going to run the web application.

Application pool

  1. Launch the IIS Manager
  2. Add an application pool
  3. Change the application pool and specify its identity by entering the newly created account.

File system

The application pool probably needs read and or write access to the file system at the location where the web application is deployed. Give the account read access to the root of the web application folder and only ‘modify’ rights to folders where it is actually needed. No need to use ‘Full control’ rights at all.

Incorrect ‘Google’ hits

At some sites people mention that the user account needs to be part of the ‘Act as part of the operating system’ policy but this is NOT necessary.

Finished

You can now test this new application pool with a (new) web application.

Hibernate or standby wakes up computer in seconds

I have this problem that when I wanted to enable one of the power-saving modes (hibernate or standby) that my computer wakes up in seconds. Sometimes almost immediately and sometimes after 10 seconds.

My first thought was that it had to do with my mouse but after disconnecting it I still had the problem. My second guess was the network adapter but I wanted to use the WOL feature to remotely wake up my computer.

Wake On Lan

Today I found out that “the default” option for my network adapter is to wake-up on any network activity instead of only WOL packets. To only wake-up when a WOL packet is send you have to make sure that the third checkbox is set. This is the same in XP and Vista.

Eigenschappen van Broadcom NetXtreme Gigabit Ethernet

Advanced power saving configuration

I still had problems with my computer waking up at weird times and my mouse was causing this. There is a nice command-line tool to list the items that can wake up the computer and where you can disable the device its wake-up ability.

List the items that can wakeup the computer:

powercfg -DEVICEQUERY wake_armed

Disable a device:

powercfg -DEVICEDISABLEWAKE “Logitech HID-compliant MX320 Laser Mouse”

A commandline example:

System (2)

  • Recent Posts
  • Recent Comments
  • Archives
  • Categories
  • Meta