These built-in accounts serve distinct functions in IIS authentication and process isolation:
- IUSR (Internet User Account): Handles anonymous authentication for web requests. When configured for anonymous access, IIS impersonates this account.
- IWAM (Internet Web Application Manager): Used to launch out-of-process COM+ applications in IIS 6 and earlier versions.
| Account | Scope | Default Permissions | IIS Version Usage |
|---|---|---|---|
| IUSR_[ServerName] | Local machine | Read/Execute on web content | All versions |
| IWAM_[ServerName] | Local machine | COM+ access rights | Primarily IIS 6 |
The names derive from:
IUSR= Internet UserIWAM= Internet Web Application Manager
When configuring application pools, consider these security implications:
// Example of setting Application Pool Identity in PowerShell (IIS 7+)
Import-Module WebAdministration
Set-ItemProperty "IIS:\AppPools\MyAppPool" -Name processModel -Value @{
identityType="SpecificUser";
userName="DOMAIN\CustomAppPoolUser";
password="P@ssw0rd123"
}
In domain-joined scenarios:
- IUSR becomes
IUSR_ServerName$(machine account) - Kerberos authentication requires SPN registration
- Consider using domain accounts for isolation between applications
Create dedicated accounts when:
- Hosting multiple applications with different security requirements
- Needing to audit specific application activity
- Implementing least-privilege security model
Sample permission assignment for custom accounts:
# Grant read access to web content
icacls "C:\inetpub\wwwroot\sitename" /grant "CustomIUSR:(OI)(CI)(RX)"
icacls "C:\inetpub\temp" /grant "CustomIWAM:(OI)(CI)(M)"
# Configure anonymous authentication to use custom account
appcmd set config "Default Web Site" /section:anonymousAuthentication
/userName:"CustomIUSR" /password:"SecurePass123" /commit:apphost
- Regularly audit account permissions using
whoami /priv - Implement password rotation for custom accounts
- Enable auditing for account usage in Event Viewer
- Consider using Managed Service Accounts in domain environments
These built-in accounts serve distinct roles in IIS authentication and process isolation:
- IUSR_[MachineName]: Stands for "Internet User Account" - handles anonymous authentication
- IWAM_[MachineName]: "Internet Web Application Manager" - runs out-of-process applications (COM+)
| Account | Default Privileges | Usage Context |
|---|---|---|
| IUSR | Read/execute only | Anonymous web requests |
| IWAM | Medium trust level | Application pool identity |
The account prefixes are meaningful:
IUSR = Internet User IWAM = Internet Web Application Manager
For domain-joined servers, consider these modifications:
- Replace Network Service with domain accounts for better auditing
- Create custom application pool identities per site
- Set minimum required NTFS permissions
Create dedicated accounts when:
- Hosting multiple high-security sites
- Needing granular permission controls
- Running in a domain environment
PowerShell script for creating domain accounts:
# Create domain account for web app New-ADUser -Name "WebApp1_IUSR" -AccountPassword (ConvertTo-SecureString "P@ssw0rd!" -AsPlainText -Force) -Enabled $true -PasswordNeverExpires $true # Set IIS to use the new account Set-WebConfigurationProperty -Filter "/system.webServer/security/authentication/anonymousAuthentication" -Name "userName" -Value "DOMAIN\WebApp1_IUSR"
Comparison of built-in service accounts:
- Network Service: Moderate privileges, network access
- Local Service: Limited local privileges
- Local System: Avoid - excessive privileges
In domain scenarios:
1. Use Group Managed Service Accounts (gMSAs) when possible 2. Configure constrained delegation for cross-server access 3. Implement proper Kerberos SPNs for authentication
Setting folder permissions via ICACLS:
icacls C:\WebSites\App1 /grant "DOMAIN\WebApp1_IUSR":(OI)(CI)(RX) icacls C:\WebSites\App1\Data /grant "DOMAIN\WebApp1_IUSR":(OI)(CI)(M)