I'm trying to make my IIS server more secure and have locked down individual application folders so that only the relevant AppPool can access them. The AppPools have been given Read access but I have tried with read/write access too. I also moved wwwroot to another drive.
Unless I specify a domain admin account as the AppPool identity, I get the error below about the webconfig file not being readable.
An error occurred loading a configuration file: Failed to start monitoring changes to 'D:\wwwroot\web.config' because access is denied.
I can get around this particular error by doing this:
- Right click on the application pool in IIS, Choose
Advanced Properties.
UnderProcessModel->Identity, chooseIdentity. - Choose
Custom Account - Switch to using a Custom Domain account, that is an administrator on this machine, as well as the machine where the virtual directory is hosted.
- Restart app pool
The problem is that now my website which looks at the currently logged in user, sees the domain account specified in the apppool instead of the logged in user.
It also seems a bit pointless setting NTFS permissions on my application folders if I am then going to override it with a domain admin account in the apppool anyway.
Any suggestions?
Best Answer
I have fixed this by giving the
servername\IIS_IUSRSgroup read access to the wwwroot directory and all subfolders. This probably nullifies my security improvements but it makes it work, so nevermind