web analytics

Understanding Built-In User and Group Accounts in IIS


codeling 1572 - 6552
@2019-07-25 13:29:42

IUSR Account

Anonymous authentication allows users to access public areas of the website without being prompted for a user name or password. In IIS 7.0 and later versions, a built-in account, IUSR, is used for providing anonymous access. This built-in account does not require a password. It will be the default identity that is used when anonymous authentication is enabled. In the ApplicationHost.config file, you can see the following definition:

    <anonymousAuthentication enabled="true" userName="IUSR" />

This tells IIS to use the new built-in account for all anonymous authentication requests. The biggest advantages to doing this are the following:

  • You no longer have to worry about passwords expiring for this account.
  • You can use xcopy /o to copy files together with their ownership and ACL information to different computers seamlessly.

You can also provide anonymous authentication to your website by using a specific Windows account or application pool identity instead of an IUSR account.

The IUSR account is similar to LOCALSERVICE in the manner in which it acts anonymously on the network. The NETWORKSERVICE and LOCALSYSTEM accounts can act as the machine identity, but the IUSR account cannot because it would require an elevation of user rights. If you need the anonymous account to have rights on the network, you must create a new user account and set the user name and password manually, as you did in the past for anonymous authentication.

To grant an anonymous account rights on the network by using IIS Manager:

  1. Click Start, type INetMgr.exe, and then click Enter. If prompted, click Continue to elevate your permissions.
  2. In the Connections section, click the + button next to the name of your computer.
  3. In IIS Manager, double-click the site that you want to administer.
  4. In the Features View, double-click Authentication.
  5. Select Anonymous Authentication, and then click Edit in the Actions pane.
  6. In the Edit Anonymous Authentication Credentials dialog box, click the Specific user option, and then click Set.
  7. In the Set Credentials dialog box, input the user name and password desired, and then click OK.
@2019-07-25 13:35:24


The IIS_IUSRS group replaces the IIS_WPG group in IIS 7 and above. This built-in group has access to all the necessary file and system resources so that an account, when added to this group, can seamlessly act as an application pool identity.

@2019-07-25 14:18:44

ASP.NET Impersonation

Literally, impersonation means the act of pretending to be another person. In technical terms, it is an ASP.NET security feature that provides the ability to control the identity under which application code is run. Impersonation occurs when ASP.NET runs code in the context of an authenticated and authorized client. IIS provides anonymous access to resources by using an IUSR account. After the request is passed along to ASP.NET, the application code is run by using the application pool identity.

Impersonation can be enabled both through IIS and ASP.NET code if the application uses anonymous authentication, and if one of the following conditions is true:

  • If IMPERSONATION is disabled, the application pool identity is used to run the application code.
  • If IMPERSONATION is enabled, "NT AUTHORITY\IUSR" is used to run the application code.

When impersonation is enabled through IIS, it adds the following tag in the Web.config file of the application to impersonate the IIS Authenticated Account or User:

<identity impersonate="true" />

To impersonate a specific user for all requests on all pages of an ASP.NET application, you can specify the user name and password attributes in the <identity> tag of the Web.config file for that application.

<identity impersonate="true" userName="accountname" password="password" />

Note: the account specified in <identity> has to belong to IIS_IUSRS local group to be able to run web app on local machine.

@2019-07-25 14:19:37

Application pool identities

To understand application pool identities, you have to understand what an identity is. In simple terms, an identity is a Windows account. Every process that runs in Windows runs under an identity. The applications are run by the worker process by using a Windows identity. The Windows identity that is used is dependent on the application pool identity, which can be any of the following accounts:


Application Pool identities

  • Local System: Completely trusted account that has very high privileges and also has access to network resources.
  • Network Service: Restricted or limited service account that is generally used to run standard, least-privileged services. This account has fewer privileges than a Local System account. This account has access to network resources.
  • Local Service: Restricted or limited service account that is very similar to Network Service and is intended to run standard, least-privileged services. This account does not have access to network resources.
  • ApplicationPoolIdentity: When a new application pool is created, IIS creates a virtual account that has the name of the new application pool and that runs the application pool worker process under this account. This is also a least-privileged account.
  • Custom account: In addition to these built-in accounts, you can also use a custom account by specifying the user name and password.


You must Sign In to comment on this topic.

© 2022 Digcode.com