What is network service?
Q: In IIS 6, the WEB application's working process is set to run with the process identifier "Network Service". In IIS 5, the process outside the Web application is set to run with the IWAM_
A: Network Service is a built-in account in Windows Server 2003. You are very important to understand the difference between the local user account (IUSR and IWAM) on IIS 5 and this built-in account is very important. To understand this, you should know that all accounts in the Windows operating system are allocated a SID (security ID, Security ID). The server is based on the SID instead of the SID-related name, and when you interact with the user interface, you use the name to interact. Most of the accounts created on the server are local accounts, all with a unique SID for identifying this account to members of the server user database. Since SID is only unique relative to the server, it is invalid on any other system. So, if you assign NTFS permissions for a file or folder for a local account, then copy the file and its permissions to another computer, the target computer does not have a user account for this migration SID, even if This is also true of one with an account. This makes a problem with content replication of NTFS privileges.
Built-in accounts are created by operating systems, a particularly special account or group, such as a System account, Network Service, and Everyone group. One of these objects is that they have an identical, well-known SID on all systems. The permissions are valid between servers when copying files assigned to NTFS permissions, because the SID of the built-in account is the same on all servers. The Network Service account in the Windows Server 2003 service is specifically designed, dedicated to providing a sufficient permissions for accessing the network for the application, and in IIS 6, you can run the web application without lifting permissions. This is a big message for IIS security, because there is no buffer, and malicious applications cannot decipher the process identity, or the application's attack cannot enter the System user environment. More importantly, the "backdoors" for the System account can no longer form "backdoors", and no longer use the INPROCESSISAPIAPS metadata library item to be loaded into the INetInfo application.
The NetWork Service account is created not only considering the application in IIS 6. It also has the process identifies most (not all) permissions for W3WP.exe. As ASPNET users need access to certain locations on IIS 5 servers, the process identifies W3WP.exe also requires access to similar locations, and it also needs to be assigned to the built-in group by default. permission.
For the convenience of management, the IIS_WPG group (also known as IIS working process group, IIS worker process group) is created when installing IIS 6, and its members include Local System, Local Service, NetWork Service (Network Service) and IWAM Account. Members of IIS_WPG have appropriate NTFS permissions and necessary user permissions, which can act as a process identity of the working process in IIS 6. The following location has permissions assigned to IIS_WPG: •% WINDIR% / Help / Iishelp / Common - Read •% WINDIR% / IIS Temporary Compressed Files - Listed, Read, write •% WINDIR% / system32 / inetsrv / asp Compiled Template - Read • INETPUB / WWWROOT (or Content Directory) - Read, Execute
In addition, IIS_WPG also has the following user rights:
• Ignore trahangenotifyprivilege • SEBatchLogonRight • Access this computer from the network (SenetworklogonRight)
Therefore, the NetWork Service account provides permissions access to the above location, with adequate permissions that act as the process identity of the IIS 6 working process, and access to the network. http://www.microsoft.com/china/technet/community/columns/insider/iisi1203.mspx
