Friday, 12 February 2010

How to figure out who runs your IIS process

I was asked the following, totally normal sysadmin question; will the Internet Information Service at a given server be allowed to write to a network-mapped folder. Whoa.

Had this been Linux, it would have been an easy one, but since it was Windows, it instead turned into a Valuable Learning Experience.

Through some creative googling and a wee bit of experimentation, here’s how, on a Windows 2003 or XP, using IIS 6.

First we need the Internet Information Services (or is it Server?) management interface.

·         Open Start menu à Administrative tools à IIS Manager

Then we need to know which Application Pool runs a given Web Site, marked relevant web site below:

·         Click your way: IIS Manager à server name à Web Sites à relevant web site [right-click] à Properties

·         Relevant Web Site Properties à Home Directory à Application Settings à Application Pool à Which Application Pool

On a one-site server, this may turn out to be default application pool DefaultAppPool. Oh if things were more exciting J

Now we’ll figure out who runs That Application Pool:

·         IIS Manager à server name à Application Pools à That Application Pool [right-click] à Properties.

·         ThatAppPool Properties à Identity à The Service Account You Are Looking For

Again, on a one-site server, it just might be Network Service. There is something in me that rings a small alert bell that this may not be the most secure of options. If some security guru knows better, please do leave a comment!

Alright, now we’ll need to check whether That Service Account has proper rights.

·         Open Windows Explorer on My Computer and right-click the folder you want to examine à Properties

·         From the Security Tab, click Advanced, and on the popped up dialog box, choose Effective Permissions

·         Press the Select button, fill in That Service Account and press Enter

The Effective Permissions will now be displayed.

Phew. Easy as algebra.