1.6 Ensure 'application pool identity' is configured for anonymous user identity

Warning! Audit Deprecated

This audit has been deprecated and will be removed in a future update.

View Next Audit Version

Information

To achieve isolation in IIS, application pools can be run as separate identities. IIS can be configured to automatically use the application pool identity if no anonymous user account is configured for a web site. This can greatly reduce the number of accounts needed for Web sites and make management of the accounts easier.

It is recommended the Application Pool Identity be set as the Anonymous User Identity.

Rationale:

Configuring the anonymous user identity to use the application pool identity will help ensure site isolation - provided sites are set to use the application pool identity. Since a unique principal will run each application pool, it will ensure the identity is least privilege. Additionally, it will simplify Site management.

Impact:

N/A

Solution

The Anonymous User Identity can be set to Application Pool Identity by using the IIS Manager GUI, using AppCmd.exe commands in a command-line window, directly editing the configuration files, or by writing WMI scripts. Perform the following to set the username attribute of the anonymousAuthentication node in the IIS Manager GUI:

Open the IIS Manager GUI and navigate to the desired server, site, or application

In Features View, find and double-click the Authentication icon

Select the Anonymous Authentication option and in the Actions pane select Edit...

Choose Application pool identity in the modal window and then press the OK button

OR

To use AppCmd.exe to configure anonymousAuthentication at the server level, the command would look like this:

%systemroot%\system32\inetsrv\appcmd set config -section:anonymousAuthentication /username:'' --password

OR

Enter the following command in PowerShell to configure:

Set-ItemProperty -Path IIS:\AppPools\<apppool name> -Name passAnonymousToken -Value True

Default Value:

The default identity for the anonymous user is the IUSR virtual account.

See Also

https://workbench.cisecurity.org/files/4131