Back to Community Threads
1
Reduce MRS Permissions to ApplicationPoolIdentity
Idea shared by Howell Dell - 11/13/2015 at 10:38 AM
Proposed
Why are we still running MRS with IIS 8.5 on Windows Server 2012 R2 using NetworkService?
 
See for details see http://portal.smartertools.com/kb/a2814/set-up-smartermail-as-an-iis-site-in-iis-8.aspx.

From what I understand the NetworkService account has the following privileges:

  • SE_ASSIGNPRIMARYTOKEN_NAME (disabled)
  • SE_AUDIT_NAME (disabled)
  • SE_CHANGE_NOTIFY_NAME (enabled)
  • SE_CREATE_GLOBAL_NAME (enabled)
  • SE_IMPERSONATE_NAME (enabled)
  • SE_INCREASE_QUOTA_NAME (disabled)
  • SE_SHUTDOWN_NAME (disabled)
  • SE_UNDOCK_NAME (disabled)
  • Any privileges assigned to users and authenticated user
Again, from what I understand the ApplicationPoolIdentity is assigned membership of the Users group as well as the IIS_IUSRS group. On first glance this may look somewhat worrying, however the Users group has somewhat limited NTFS rights. When I setup the MRS folder I removed Users Group from the MRS folder and add the ApplicationPoolIdentity with R/W.
 
Now, I'm guessing that we can do better than this and mark most of the R/O with a more limited set R/W!
 
Finally, I've been running SmarterMail V12 and V13 with ApplicationPoolIdentity without an issue.
Back to Community Threads

Reply to Thread

Related Knowledge Base Articles

Changing Ownership of SmarterMail on Linux: A Step-by-Step GuideSmarterMail > Server Configuration and Management
Deploying Rspamd For Use With SmarterMailSmarterMail > Server Configuration and Management
Reset Administrator Username and PasswordSmarterMail > Installation and Configuration
Cannot Activate SmarterMailSmarterMail > Troubleshooting
Attaching SmarterMail 16.x and Older Domains to New BuildsSmarterMail > Domain/User Configuration and Management