IIS Folder user for php web site

Irfan Ranjha 21 Reputation points
2022-06-08T17:04:42.337+00:00

I'm learning securing web site on IIS, through resources i learned that better practice is that i create a separate user for each web site and then assign that user to each application pool.

While setting up user for folder where source for the web site exist i found two options, one assign the same user as app pool and other approach is assign user like "iis apppool\app pool name"

I want to know which approach is better for PHP web site, please also advise if there is any difference if i use same approach for .net based web site.

Internet Information Services
0 comments
Accepted answer
  1. Bruce Zhang-MSFT 3,736 Reputation points
    2022-06-09T02:27:45.33+00:00

    Hi @Irfan Ranjha ,

    Both of them are suitable for your application, whatever it is a PHP site or .NET site. So you can assign user like IUSR or app pool like iis apppool\app pool name.

    Regarding to the difference between them, if you assign specific user to folder, you need to set identity of application pool to this user. Then the permission of application pool is decided by specific user. Administrator can set the permission of specific user in system group policy.

    If you add app pool to folder security directly, application pool will only have permission to all content in this folder, you don't need to set application pool identity.

    So from the perspective of permissions, the end result of both is to ensure that the application pool can control the folder. But the permissions of the first method application pool are determined by specific user permissions (group policy), and the permissions of the second method are determined by setting when adding pool to security. Also, the two belong to different domains. Users can belong to system or other groups. The application pool belongs to the IIS domain.

    If the answer is the right solution, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    Best regards,
    Bruce Zhang

    1 person found this answer helpful.
    0 comments

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest