Sigh... security continues to befuddle users... because why would you change the Service User Account from LocalSystem to Local Administrator? Not only is the action unsupported, but the configuration does not work, and it does not help system security... so why even do it?

Question:

Hi all

I run IIS 6.0 and want change Windows service (World Wide Web Publishing) log on from "Local System" to a domain account. Unfortunately I get following error:
"Error 5: Access is denied."

The domain account is in the local admin group.

Do you have an idea why? Many thanks in advance.

Answer:

Unfortunately, what you are attempting to do is unsupported, and the configuration fails by-design. Can you describe what you are TRYING to accomplish, not HOW you want to accomplish it.

Also, you assume that Administrators never get Access Denied... so please read the following blog entry on why that assumption is untrue. 

You cannot change the service user account for any IIS service, such as the "World Wide Web Publishing" service or the "IIS Admin" service. Period. It does not matter if the replacement user account is a Local Administrator. Just because you can do something does not mean it works; we simply did not design IIS to function that way.

Besides being unsupported, changing the service user account from LocalSystem to Local Administrator does not improve security, so...

IIS6, Conceptually

Now, if you are trying to "secure" IIS6 by making it isolate your applications with a specific domain user, that can be easily accomplished in a supported way - just not by what you are doing.

Conceptually, IIS 6 consists of four major interacting pieces - W3SVC, IISADMIN, HTTP, and W3WP.

  • HTTP is the kernel mode driver which picks up data from the network, parses and validates that data as an HTTP request, and then sends that request into user mode for processing by IIS W3WP.
  • IISADMIN is the user mode NT service, running as LocalSystem, which handles all operations to read/write configuration (such as by adminstration scripts, W3SVC, W3WP worker processes, etc). It does NOT run any user code in IIS6 Worker Process Isolation Mode (default on clean OS install).
  • W3SVC is the user mode NT service, running as LocalSystem, which tells HTTP where to send the HTTP requests, performs health-monitoring tasks on the W3WP worker processes handling HTTP requests, and manages other "IIS" functionality like keeping performance counters. It does NOT run any user code.
  • W3WP is the user mode worker process, running with a configurable process identity (defaults to unprivileged Network Service account), which actually processes and executes the HTTP requests. It runs all user code.

From a security perspective, you just need to worry about the process account of W3WP that executes user code because that identity is the worst an exploit can access (I presume that you do the secure thing of configuring authenticated users, including anonymous users, to have lower privileges). And since IIS 6 uses the unprivileged Network Service by default, IIS 6 comes highly secured.

As for the user identity used to execute user code, that really depends on the application framework of the user code. This blog entry describes how user impersonation works on IIS 6.

So, really... one should never need to change the Service User Account for IIS 6 - not only is it unsupported and non-functional, it is also non-necessary because the feature already exists.

//David