Microsoft IIS-7 Application Pools

Why run applications inside Application pools?

It’s a recommended practice to isolate applications even if they are running on the same server for better reliability, security, and improved performance. Each pool runs on separate worker processes, so one bad application would not take the entire server down. On the security aspects, advanced hackers would even have a more difficult time compromising an co-hosted application even after taking control of its adjacent site. Here is how to setup an App pool.

Run: InetMgr.exe > Expand the IIS server > Choose Application Pool > right-click the middle pane and choose Add Application Pool > the Add Application Pool windows appears > input the name of App Pool > choose the .NET Framework version that is compatible with intended apps (e.g. .NET 4.5) > set Managed pipeline mode field = Integrated > Start application pool = checked

Note: integrated mode is leveraging the request-processing architecture of IIS and ASP.Net. This is the preferred mode for modern Apps. The “Identity” option is used to specify the user that your application pool would be impersonating. Although the “ApplicationPoolIdentity” account is the recommended pool identity, it would be an good practice to use a Domain account so that such access can be revoked in an event of a breach.

Once the application pool has been created > right click it > select Advanced > Process Module section > Identity field, change the value from NetworkService to LocalSystem > OK

InetMgr.exe > expand Sites > locate the virtual directory > right-click that virtual directory > Advanced Settings > General > Application Pool, click Browse > select the application pool created earlier

Troubleshooting:

When CGI applications have failed…

Right-click the virtual directory > Authentication feature > check that Anonymous Authentication status is Enabled > Edit > set value = Application pool identity

When the website hangs

  1. Are the permissions to the files directory set correctly? The service account needs at least read and traverse permissions
  2. It’s a good practice to use a domain account, instead of a local account. Although this adds an additional dependency, the benefits to balance that would be adding an additional layer of security and centralizes management of service accounts.
  3. Is the application pool using the correct account to match the permissions set on the files directory?
  4. If this server is behind a proxy, ensure that any connection string from IIS is tested to ensure reachability. This is especially important for external targets.

Leave a Reply

Your email address will not be published. Required fields are marked *