3

I need to deploy an IIS based web application in an environment that uses Group Policy to apply standard user rights assignment for all computers in the Active Directory domain. When the application is installed it automatically adds various Application Pool identities (IIS APPPOOL\NET v4.5, IIS APPPOOL\DefaultAppPool, IIS APPPOOL.NET v4.5 Classic) to the Local Security policy User Rights Assignment, however these are then overwritten when group policy is applied.

I appreciate that IIS APPPOOL\xxxxx can't be added to group policy, however I'm not sure what is considered best practice in this scenario. With the NT Service virtual accounts there is NT SERVICE\ALL SERVICES which can be added to group policy, but there doesn't appear to be an equivalent for IIS APPPOOL.

The options that come to mind are:

  1. Change the IIS Application Pool to run as NT Service

  2. Change the IIS Application Pool to run as domain account

Neither option seems to be ideal. Is there another option I'm not aware of, or is using NT Service the less of two evils?

Paul H
  • 141
  • 1
  • 2
  • 1
    I am not sure why that web app wants local security policies to apply to individual accounts, as most Microsoft's default settings go to groups like `IIS_USRS` https://docs.microsoft.com/en-us/troubleshoot/iis/default-permissions-user-rights#default-windows-user-rights-assignments, If control on individual account level is indeed needed, common practice is to use service accounts from AD. Talk to your domain administrators to learn more. – Lex Li Sep 08 '20 at 20:50

0 Answers0