+1-888-365-2779
Try Now
More in this section

Forums / General Discussions / Web Platform Installer adds a security user?

Web Platform Installer adds a security user?

5 posts, 0 answered
  1. Michael McGovern
    Michael McGovern avatar
    11 posts
    Registered:
    18 Oct 2009
    31 Jan 2010
    Link to this post

    Not sure if this is the right place for this question but here goes:

    Windows 2008R2 64-bit

    When I create a SF installation from the Web Platform Installer it just works out of the box with no need to change any permissions. During the install a user is created with the same name as the web site. IE if the web was domain.com I have a user called domain.com with full control to the web site.

    Now my question:

    Who is this user and where is it coming from. The user is not defined anywhere I can find in IIS and is not in NTFS permissions. I can only see this user when viewing permissions from within IIS management and not from within Windows Explorer.

    Thanks for any insight. 

  2. Radoslav Georgiev
    Radoslav Georgiev avatar
    3370 posts
    Registered:
    01 Feb 2016
    01 Feb 2010
    Link to this post
    Hi Michael McGovern,

    Thank you for using our services.

    When we run the WPI to install Sitefinity CE we get the following users added to the permissions list NETWORK SERVICE and IIS_IUSRS, refer to attached image. The NETWORK SERVICE user is added because we are running the application in IIS 7 Integrated pipeline mode and this is the identity of the default application pool. If you are running IIS 6.0 the user added instead of the NETWORK SERVICE one will be the ASP.NET worker process. The NETWORK SERVICE or ASP.NET users only need full control over the App_Data folder you can revoke the rest of the permissions if they do not fit your security policy. 

    You can find more information on the IIS_IUSRS account if you follow this link.

    Best wishes,
    Radoslav Georgiev
    the Telerik team

    Instantly find answers to your questions on the new Telerik Support Portal.
    Watch a video on how to optimize your support resource searches and check out more tips on the blogs.
  3. Michael McGovern
    Michael McGovern avatar
    11 posts
    Registered:
    18 Oct 2009
    01 Feb 2010
    Link to this post
    In my instances the Network Service account is not being added but an account named after the web site is. See attached.
    This is on IIS 7.5

    I'm just trying to understand this "user" because it is not a re-usable user. For instance if I try to add this user to another folder it is not possible as Windows and IIS say the user does not exist. In SF the user is being granted full permission on the entire web but, for instance on BlogEngine.Net the user is created but only given modify to the App_Data folder. The behavior leads me to believe it is some kind of an alias for the Network Service account.

    Maybe I should seek help on the IIS or WPI web sites since this actually occurs in any .Net gallery installation.
  4. Radoslav Georgiev
    Radoslav Georgiev avatar
    3370 posts
    Registered:
    01 Feb 2016
    01 Feb 2010
    Link to this post
    Hello Michael McGovern,

    This is interesting. The thing is that here on my side the workstation is running on Vista, not a server OS. This can be something not from WPI but from IIS 7.5 and the OS. Anyway this user should be impersonating the identity of the application pool you are running in. It should not need permissions for the entire virtual directory. You can only leave the ones of App_Data (this is how all my sites are set up)

    Greetings,
    Radoslav Georgiev
    the Telerik team

    Instantly find answers to your questions on the new Telerik Support Portal.
    Watch a video on how to optimize your support resource searches and check out more tips on the blogs.
  5. Michael McGovern
    Michael McGovern avatar
    11 posts
    Registered:
    18 Oct 2009
    01 Feb 2010
    Link to this post
    I was just coming back to repost what I found.
    The user with the domain.com name is the ApplicationPoolIdentity. I just installed another instance where Network Service is the identity for the Application Pool and it then adds the Network Service account instead of a domain.com acccount.

    Mystery solved.

    It does however still grant the Network Service full control to the entire application.
Register for webinar
5 posts, 0 answered