In IIS (Internet Information Services), an Application Pool Identity determines which account the application pool’s worker process (w3wp.exe) runs under. This identity controls the permissions the application has on the server, such as access to files, databases, and network resources.
Running each application pool under its own identity helps isolate applications, improving both security and stability.
Types of Application Pool Identities
IIS provides built-in accounts as well as the option to use custom accounts:
1. Built-in Accounts
-
Local System
-
Very high privileges on the local machine
-
Can access most system resources
-
Not recommended for web apps due to security risks
-
-
Local Service
-
Low-privilege account with minimal rights on the local machine
-
Uses anonymous credentials for network access
-
-
Network Service
-
Low-privilege account
-
Authenticates on the network using the computer’s account credentials
-
-
Application Pool Identity (Default)
-
Introduced in IIS 7.5
-
Automatically created a virtual account for each application pool
-
Secure, least-privilege by default
-
Recommended for most scenarios
-
2. Custom User Account
You can configure an application pool to run under:
-
Installed Local User Account – A manually created local Windows account
-
Domain User Account – Useful when the app needs to access domain resources
-
Property-based User – Based on credentials stored in configuration
Why Use Different Identities?
-
Security: Isolates applications to prevent one compromised site from affecting others
-
Resource Access Control: Grant only the permissions the app needs
-
Troubleshooting: Easier to track processes and permissions in logs
