Before I mentioned the option of using application pool isolation/sandboxing. I've done up a brief blog post that shows how this works, and how to implement it in IIS 7.0
http://www.adopenstatic.com/cs/blogs/ken/archive/2008/01/29/15759.aspx for details IIS 7.0 also allows for remote management using non-Windows accounts (IIS 7.0 has a concept of IIS users, which don't exist outside IIS). By combining app pool isolation with the use of IIS7 user accounts, hosting companies can more easily isolate web content for each customer: - you can still run each web app pool as a low privilege Network Service account, but each website's content is isolated/protected from another website - you can give each customer a IIS-only account for remote management/configuration/etc - this minimises the overhead in NTFS ACL management Another tip: IIS 7.0 also supports new kernel mode authentication. This can simplify the SPN management process. I'll see if I can get time to write this up too. Cheers Ken -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ken Schaefer Sent: Wednesday, 23 January 2008 6:08 PM To: focus-ms@securityfocus.com Subject: RE: FTP on IIS Now: There /is/ an option to apply a certain sandboxing feature in IIS 7.0 that not many people know about. So I'll toss this in so we're still talking security :-) Each worker process is injected with an additional SID specific to that app pool. The "user name" that the SID corresponds to is the name of the app pool. If you check c:\inetpub\temp\apppools and check the NTFS permissions on the config file that is generated when you start an app pool, you'll see the additional SID. If you want, you can optionally choose to ACL your web content using that SID (i.e. remove Network Service, or whatever your app pool identity is, and using icacls.exe or similar to apply read permissions for that dynamic SID). This makes it an option to host all your app pools using one account (network service) yet still sandbox each app pool from the content that every other app pool can access. Neat huh? But this is a manual process, and shouldn't explain what you are seeing. Cheers Ken
