Sunday, August 2, 2009

User rights for IIS Service Account

Windows user rights

Access this computer from the network
  • Administrators
  • ASPNET
  • IUSR_MachineName
  • IWAM_MachineName
  • Users
Adjust memory quotas for a process
  • Administrators
  • IWAM_MachineName
  • Local service
  • Network service
Bypass traverse checking
  • IIS_WPG

Allow log on locally (see Note)

  • Administrators
  • IUSR_MachineName

Deny logon locally

  • ASPNET

Impersonate a client after authentication

  • Administrators
  • ASPNET
  • IIS_WPG
  • Service

Log on as a batch job

  • ASPNET
  • IIS_WPG
  • IUSR_MachineName
  • IWAM_MachineName
  • Local service

Logon as a service

  • ASPNET
  • Network service

Replace a process level token

  • IWAM_MachineName
  • Local service
  • Network service
Note: If the Users group and the Everyone group must be removed from the Bypass traverse checking permissions, add the IIS_WPG group to permit IIS to function as expected.

Reference: http://support.microsoft.com/kb/812614
http://www.microsoft.com/technet/prodtechnol/WindowsServer2003/Library/IIS/3648346f-e4f5-474b-86c7-5a86e85fa1ff.mspx?pf=true
Posted by at
Labels: ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)