IIS 7.5 Application Pools: Understanding default identity “ApplicationPoolIdentity”

In former versions of IIS the default identity for application pools was “NetworkService“. Using this option, the application pool runs under the built-in and low-privileged Windows identity “NETWORKSERVICE“. The disadvantage of this (old default) option is that multiple services using the Windows identity “NETWORKSERVICE” are not isolated from each other, i.e. services could theoretically read, write or execute files of the other services.

In IIS 7 the concept of application pool identities (“ApplicationPoolIdentity“) was introduced and became the default identity for application pools in IIS 7.5. Using this identity Windows runs each application pool under a automatically created virtual account. Please note, that this virtual account is not listed in Windows User Management Console.

To grant these virtual accounts permissions to files or directories, you need to add the (virtual) identities to a file’s or directories Access Control List (ACL). Therefore use the permission tab of the file or folder and select the account as follows:

  • Set the location to you local machine
  • Set the object’s name to “IIS AppPool\<name of your application pool>

Summarized application pool identities allow system administrator to easily isolate multiple application pools from each other without manually managing accounts and passwords.