1.5 Ensure 'unique application pools' is set for sites

Information

Application Pool Identities allows Application Pools to be run under unique accounts without the need to create and manage local or domain accounts.

It is recommended that all Sites run under unique, dedicated Application Pools.

Rationale:

By setting sites to run under unique Application Pools, resource-intensive applications can be assigned to their own application pools which could improve server and application performance. In addition, it can help maintain application availability: if an application in one pool fails, applications in other pools are not affected. Last, isolating applications helps mitigate the potential risk of one application being allowed access to the resources of another application. It is also recommended to stop any application pool that is not in use or was created by an installation such as .Net 4.0.

Impact:

All sites will need to be run under unique dedicated Application Pools.

Solution

The following appcmd.exe command will set the application pool for a given application:

%systemroot%\system32\inetsrv\appcmd set app '<website name>/' /applicationpool:<apppool name>

The output of this command will be similar to the following: APP object 'Default Web Site/' changed (applicationPool:DefaultAppPool)
Run the above command to ensure a unique application pool is assigned for each site listed

OR

Enter the following command in PowerShell to configure:

Set-ItemProperty -Path 'IIS:\Sites\<website name>' -Name applicationPool -Value <apppool name>

OR

Open IIS Manager

Open the Sites node underneath the machine node

Select the Site to be changed

In the Actions pane, select Basic Settings

Click the Select... box next to the Application Pool text box

Select the desired Application Pool

Once selected, click OK

Default Value:

By default, all Sites created will use the Default Application Pool (DefaultAppPool).

See Also

https://workbench.cisecurity.org/benchmarks/13949

Item Details

Category: ACCESS CONTROL

References: 800-53|AC-3, CSCv7|14.6

Plugin: Windows

Control ID: 2ef82cde8e04bdd3e8cfcd5214b7e2aa00a0f800424f9daccd0345d2038071d9