Can’t select IUSR for running a service under

iis-7.5iusrwindows-server-2008-r2windows-service

We have a Windows 2008 R2 box running IIS 7.5 which due to a security requirement we need to set the World Wide Web Publishing Service to run under IUSR. I can give IUSR folder permissions just fine. But when I try to select IUSR for the account to run under for World Wide Web Publishing Service I get a message saying that the user cannot be found. Currently we have the service running under "Local System Account". Any help would be greatly appreciated.

Best Answer

IUSR is the security context used when anonymous visitors browse your website. I would recommend against using it for the WWW service.

Prior to IIS7.5, a service account (IWAM) would be created for you that was a local account in addition to the local IUSR account. The new model is to run with different application pool identities so that one web site can't affect another one on the box if a site is compromised. I'd probably consider an unprivileged local account for the WWW service, to confine the credentials to that particular box.

I tested using a local user for WWW and the Windows Process Activation Service, and kept getting error messages of "this account isn't privileged enough" for the Windows Process Activation Service. So I added the local account to IIS_IUSRS and any other IIS-related group, and went into local security policy and added the privileges in Local Security Policy's User Rights Assignment:

  • Replace a process-level token
  • Adjust memory quotas for a process
  • Generate security audits
  • Log on as a batch job

That didn't work, so I added "Create global objects" after finding something in google suggesting that might help. It didn't. But then it was time for me to go home, so I undid it all (even though it was a test environment).

I then tried

  • Impersonate a client after authentication

No joy. The services run as Local System, and the link I was working from says,

The Local System account is a powerful account that has full access to the computer and acts as the computer on the network. If a service uses the Local System account to log on to a domain controller, that service has access to the entire domain. Some services are configured by default to use the Local System account, and this should not be changed. The Local System account does not have a user-accessible password.

Sorry, I tried, but I think you're out of luck. You could certainly try giving an account the privileges listed here:

  • SE_ASSIGNPRIMARYTOKEN_NAME (disabled)
  • SE_AUDIT_NAME (enabled)
  • SE_BACKUP_NAME (disabled)
  • SE_CHANGE_NOTIFY_NAME (enabled)
  • SE_CREATE_GLOBAL_NAME (enabled)
  • SE_CREATE_PAGEFILE_NAME (enabled)
  • SE_CREATE_PERMANENT_NAME (enabled)
  • SE_CREATE_TOKEN_NAME (disabled)
  • SE_DEBUG_NAME (enabled)
  • SE_IMPERSONATE_NAME (enabled)
  • SE_INC_BASE_PRIORITY_NAME (enabled)
  • SE_INCREASE_QUOTA_NAME (disabled)
  • SE_LOAD_DRIVER_NAME (disabled)
  • SE_LOCK_MEMORY_NAME (enabled)
  • SE_MANAGE_VOLUME_NAME (disabled)
  • SE_PROF_SINGLE_PROCESS_NAME (enabled)
  • SE_RESTORE_NAME (disabled)
  • SE_SECURITY_NAME (disabled)
  • SE_SHUTDOWN_NAME (disabled)
  • SE_SYSTEM_ENVIRONMENT_NAME (disabled)
  • SE_SYSTEMTIME_NAME (disabled)
  • SE_TAKE_OWNERSHIP_NAME (disabled)
  • SE_TCB_NAME (enabled)
  • SE_UNDOCK_NAME (disabled)

But it might be easier to just get a piece of paper from Microsoft telling you to not do that.

Related Topic