I am planning to host some asp.net apps which require full trust. The sites will be under different domain names and I am the admin of the server. They will be hosted in Windows 2008 R2 (IIS 7.5). I don't want the users have the ability to access the registry, event log, folders outside their site's folders and so on.
What are steps to 'sandbox' these sites so they work in full trust but are unable to do any harm to the server even if the site owner tried to?
If you're planning on having a separate application pool per site then this is pretty straight forward to lock down using Application Pool identities.
When you create an application pool for a site set the worker process Identity (Advanced Settings -> Process Model) to ApplicationIdentity.
Create your website and specify its dedicated application pool.
Navigate to the site's Features View and open the Authentication applet. Make sure Anonymous Authentication is enabled then select and edit this property (or right click on Anonymous Authentication). Change the Anonymous user identity to "Application Pool Identity".
In explorer browse to the site's web folders and open the Security tab for the folder properties. Add the application pool identity by specifying IIS AppPool\[ApplicationPoolName] e.g. IIS AppPool\BobsBlogSite. Set the permissions you want to grant to the site i.e. Read/Write/Execute etc.
One thing to watch is that wherever you locate each site's website folders e.g. C:\Websites where you might have C:\Websites\site1, C:\Websites\site2 etc, remember to break any ACL inheritance so that you don't accidentally leak access via group membership such as Users or IIS_IUSRS if they've been added to C:\.
We usually remove all rights at the C:\Websites folder with the exception of SYSTEM and Administrators.
For further reading see the following articles:
Application Pool Identities (IIS.NET)
New in IIS 7 - App Pool Isolation
