Automatic Application Pool Isolation in IIS7 - why you'll want to use this

So IIS7, which comes with the new Windows Server 2008 which just RTM'd, has a bunch of new features that are going to make life a lot easier for the web developer and administrator.

The one we will see today is called Automatic Application Pool Isolation.  This basically means that when you create a new Site on your WebServer, IIS will create a new AppPool for the new site.

AppPool

This shows the AppPool getting created when a new site is created.  So what all does this mean?  Well, there are a few things that are going on behind the scenes that are version important in regards to security and isolation.

  • When this is created, we will create a unique account on the machine that is based on this new AppPool using the NetworkService token.
  • Also, when this Application pool is created, we will create a new <AppPool>.config file for this process.  And it is configured so that only the account we just created can access it.

These two things combined mean that we can now separate this application so that the configuration and the identity it is running under are isolated.  All that would be left to do is set permissions on the content for the site and this site would be completely isolated from all other sites on this machine.  This is a great thing for ISP's as they will be able to make sure one site's users cannot access another site.

kick it on DotNetKicks.com