1
Reduce MRS Permissions to ApplicationPoolIdentity
Idea shared by Howell Dell - November 13, 2015 at 10:38 AM
Proposed
Why are we still running MRS with IIS 8.5 on Windows Server 2012 R2 using NetworkService?
 
See for details see http://portal.smartertools.com/kb/a2814/set-up-smartermail-as-an-iis-site-in-iis-8.aspx.

From what I understand the NetworkService account has the following privileges:

  • SE_ASSIGNPRIMARYTOKEN_NAME (disabled)
  • SE_AUDIT_NAME (disabled)
  • SE_CHANGE_NOTIFY_NAME (enabled)
  • SE_CREATE_GLOBAL_NAME (enabled)
  • SE_IMPERSONATE_NAME (enabled)
  • SE_INCREASE_QUOTA_NAME (disabled)
  • SE_SHUTDOWN_NAME (disabled)
  • SE_UNDOCK_NAME (disabled)
  • Any privileges assigned to users and authenticated user
Again, from what I understand the ApplicationPoolIdentity is assigned membership of the Users group as well as the IIS_IUSRS group. On first glance this may look somewhat worrying, however the Users group has somewhat limited NTFS rights. When I setup the MRS folder I removed Users Group from the MRS folder and add the ApplicationPoolIdentity with R/W.
 
Now, I'm guessing that we can do better than this and mark most of the R/O with a more limited set R/W!
 
Finally, I've been running SmarterMail V12 and V13 with ApplicationPoolIdentity without an issue.

Reply to Thread