Could you describe how an IIS Web application pool works? How do Web application pools relate to enterprise security, and are they a worthwhile feature to utilize?
An IIS Web application pool is a feature worth implementing on any IIS Web server running multiple applications or sites, as it can isolate applications from each other even though they are being hosted on the same server. It can improve the overall reliability of the server and the applications running on it, and can be used to improve security as well.
An application pool is a group of one or more applications, as defined by their URLs, that share the same worker process. A worker process runs the website. Each application pool has one or more worker processes. The worker processes are unique to the application pool and are not shared across application pools.
As each worker process operates as a separate instance, it provides a process boundary so an application in one application pool isn't affected by problems in another pool. If an application crashes or has a memory leak, it won’t affect other sites in other application pools, as each application pool has its own worker process and server resources.
Multiple application pools can operate at the same time, each configured differently in terms of resource usage and can even been shut down after a period of inactivity until it is needed again. CPU monitoring can prevent a site from hogging the server’s CPU, and worker process recycling replaces the instance of an application in memory, helping to keep problematic applications running smoothly and minimizing problems, such as memory leaks.
Not only do multiple application pools increase the availability of applications, but they also help security. For example, you may want to create a separate application pool for each application that requires a high level of security, while allowing applications that require a lower level of security to share the same application pool. This type of configuration lets you make use of Application Pool Identities, which allow you to run application pools under a unique virtual account without having to create and manage domain or local accounts, a method that is often tedious and inadequate for establishing the ideal levels of privileged access.
By default, worker processes run under the local NetworkService account, a built-in Windows identity with relatively low-level privileges. Although running services with a low-privileged account is good security practice, a lot of Windows system services run using this account as well. Any service running as NetworkService could possibly access other NetworkService-owned services. As IIS worker processes typically run customized code, such as ASP.NET and PHP, they should be separated from other Windows system services by using a different application pool identity.
I certainly recommend you customize your application pools and use different identities to achieve the degree of application isolation you need for your particular environment.
This was first published in August 2011