Why are we still running MRS with IIS 8.5 on Windows Server 2012 R2 using NetworkService?
See for details see http://portal.smartertools.com/kb/a2814/set-up-smartermail-as-an-iis-site-in-iis-8.aspx.
From what I understand the NetworkService account has the following privileges:
- SE_ASSIGNPRIMARYTOKEN_NAME (disabled)
- SE_AUDIT_NAME (disabled)
- SE_CHANGE_NOTIFY_NAME (enabled)
- SE_CREATE_GLOBAL_NAME (enabled)
- SE_IMPERSONATE_NAME (enabled)
- SE_INCREASE_QUOTA_NAME (disabled)
- SE_SHUTDOWN_NAME (disabled)
- SE_UNDOCK_NAME (disabled)
- Any privileges assigned to users and authenticated user
Again, from what I understand the ApplicationPoolIdentity is assigned membership of the Users group as well as the IIS_IUSRS group. On first glance this may look somewhat worrying, however the Users group has somewhat limited NTFS rights. When I setup the MRS folder I removed Users Group from the MRS folder and add the ApplicationPoolIdentity with R/W.
Now, I'm guessing that we can do better than this and mark most of the R/O with a more limited set R/W!
Finally, I've been running SmarterMail V12 and V13 with ApplicationPoolIdentity without an issue.