Select the product you need help with

HOW TO: Run Applications Not in the Context of the System Account in IIS

Article ID: 319067 - View products that this article applies to.

This article was previously published under Q319067

We strongly recommend that all users upgrade to Microsoft Internet Information Services (IIS) version 7.0 running on Microsoft Windows Server 2008. IIS 7.0 significantly increases Web infrastructure security. For more information about IIS security-related topics, visit the following Microsoft Web site:

http://www.microsoft.com/technet/security/prodtech/IIS.mspx

(http://www.microsoft.com/technet/security/prodtech/IIS.mspx)

For more information about IIS 7.0, visit the following Microsoft Web site:

http://www.iis.net/default.aspx?tabid=1

(http://www.iis.net/default.aspx?tabid=1)

Expand all | Collapse all

SUMMARY

This step-by-step article explains how to run a process under another identity other than the SYSTEM account.

Default Installation

By default, on a computer that is running Windows NT 4.0 Server, or on a Windows NT 4.0 computer that has Internet Information Server 4.0 installed, Web sites are set to run in-process or under the SYSTEM account. You can set a Web site or virtual directory and its associated applications to run in separate memory space and, therefore, run under the IWAM_machine account.

By default, on computers that run the following, Web sites are set to run in medium pooled or under the IWAM_machine account:

Windows 2000 Server
Windows 2000 Professional with Internet Information Services 5.0
Windows XP Professional with Internet Information Services 5.1

You can set a Web site or virtual directory and its associated applications to run in either of the following ways:

Medium pooled or high isolation and, therefore, run under the IWAM_machine account.
Low (IIS Process) and, therefore, run under the SYSTEM account.

Security Context

Processes are always executed in the context of an account. For example, Inetinfo.exe runs as a process that is launched by the SYSTEM account, therefore, Inetinfo.exe runs in the context of the SYSTEM account.

The SYSTEM account is not a typical user account: it does not have network access, therefore, applications that are running as SYSTEM cannot access network resources. For additional information about security context, click the article number below to view the article in the Microsoft Knowledge Base:

248187

(http://support.microsoft.com/kb/248187/EN-US/ )

HOWTO: Impersonate a User from Active Server Pages

NOTE: It is possible to run the IIS services (Inetinfo.exe) to run as a specified user account, however, that is an unsupported configuration.

For the application to access resources from a remote server, you can configure your Web site or application to run out-of-process and configure that process to run under a domain user account (by default, it is run under the IWAM_machine account context). Therefore, you can assign the appropriate NTFS file system permissions for that domain account to the remote server.

Configure and Run Out-of-Process

To configure an application to run out-of-process and then set that process to run under the identify of another account, follow the appropriate steps for your system:

Internet Information Services 5.0 and 5.1

Click Start, point to Programs, select Administrative Tools, and then click Internet Services Manager.
Expand the Server Name.
Select and right-click the Web site that you want, and then click Properties.
On the Home Directory tab, see the Application Protection drop-down list. By default, this is Medium (Pooled). Select Medium (Pooled), or select High if you want.
NOTE: You can select Low(IIS Process) if you want to run it under the SYSTEM account.
Click Apply.
Close all the Properties dialog boxes, and then close Internet Services Manager.
Open the Component Services console:
Click Start, point to Programs , point to Administrative Tools, and then click Component Services.
Expand the Component Service, expand Computers, expand My Computer, and then expand COM+ Applications folders.
Locate the corresponding COM+ application that you have set to run in Medium or High Application Protection earlier for the Web application (for example, IIS-default Web site//Root/AppName), right-click that COM+ application, and then click Properties.
On the Identity tab, click This user.
Locate or type the domain\user ID and password that has the appropriate domain access to your network resource, and then click OK.

Internet Information Services 4.0

Click Start, point to Programs, select Windows NT 4.0 Option Pack, point to Microsoft Internet Information Services, and then click Internet Services Manager.
NOTE: Do not click HTML.
Expand the Server Name.
Select and right-click the Web site that you want, and then click Properties.
On the Home Directory tab, see a check box for you to set Run in separate memory space (isolated process). By default, this is cleared (not checked).
Click Apply.
Close all the Properties dialog boxes, and then close Internet Services Manager.
Click Start, point to Programs, click Windows NT 4.0 Option Pack, point to Microsoft Transaction Server, and then click Transaction Server Explorer.
Expand the Microsoft Transaction Server, expand Computers, expand My Computer, and then expand Packages Installed folders.
Locate the corresponding MTS package for your Web application that you have set to Run in separate memory space earlier in these steps (for example, IIS-default Web site//Root/AppName), right-click the MTS package, and then click Properties.
On the Identity tab, click This user, locate or type the domain\user ID and password that has the appropriate domain access to your network resource, and then click OK.
Stop and start IIS Services.