Microsoft IIS Server 7.0 and up offers a lot of new features in
regards to application security. One of the new features is the
ability to assign each of your ASP.NET applications their own
isolated Application Pool. This adds a lot of additional security
because now we can also assign NTFS permissions for folders on a
per application basis. This is a good thing because now when you
need to give your ASP.NET application permission to read or write
data to a particular folder, you don't have to automatically allow
every other ASP.NET app on the same server to do so as well.
When developers that are new to IIS 7 first try to run an app
they may get the error:
Access to the path 'C:\inetpub\MyWebSite\App_Data\MySiteData.xml' is denied.
This used to be fixed by simply adding the
NetworkService account to the folder permissions . While
it is still possible to configure your application to use the
NetworkService account, it should be avoided. This older
method does not allow you to assign folder permissions for ASP.NET
on a per application basis.
When you create a new ASP.NET application in IIS it now will by
default automatically create a new IIS App Pool with the same name
and then assign it to that application. If this application will
require ASP.NET code to be able to create or modify files on the
server you will need to give it permission. The App_Data is one
folder that often that often needs create & modify access.
NOTE: The instructions below are intended for Windows Server
2008 R2.
If you need help with Windows Server 2008 go here, and here for Windows Server 2003.
You cannot currently browse for your new IIS App
Pool account in the GUI, however you can still assign the folder
permissions by typing IIS
APPPOOL\YourAppPoolName in the Select
User or Groupsdialog box which is accesible by
clicking Add... Once the account is
listed, assign the permissions just as would do before with the
NetworkService account.
