App pool identity, Users group and iis isolation

Question

I followed these two questions:

IIS 7.5 App Pool Identity permission not assigned to folder, but application still can write to its folder?

IIS AppPoolIdentity and file system write access permissions

To try to understand how it is possible to isolate IIS ApplicationPoolIdentity users although they are members of the Users group that has read access practically everywhere.

I think that should be more secure that the App Pool\myapp could only read the contents of the site (or read/write its virtual directory), but what is the best practice to do that without removing the Users group ACL from everywhere?? my Windows server defaults has the "users" group on the volumes acl with read access and inherits to all folders...

Answer 1

AMit - that still doesn't solve the issue that his web app can read practically any file on the c:/ drive. But it's even worse than that. The web app can WRITE to the c:/ drive. Because the users group has permission to do so...

It's a fundamental security flaw in Microsoft's design. I've been searching for a solution myself and yet to find one.

Putting the web site on a different partition is security through obscurity... Which is basically no security at all - rather the mere hope that they don't find...

Answer 2

This question is also answered in the answer you linked to, by Kev. You should preferably set up your web root on a separate non-system drive. There you can remove the Users group from the top level and grant rights to the home folder of each site to the respective application pool identities only.