IIS NTFS Permissions are not working correctly

I'm trying to make my IIS server more secure and have locked down individual application folders so that only the relevant AppPool can access them. The AppPools have been given Read access but I have tried with read/write access too. I also moved wwwroot to another drive.

Unless I specify a domain admin account as the AppPool identity, I get the error below about the webconfig file not being readable.

An error occurred loading a configuration file: Failed to start monitoring changes to 'D:\wwwroot\web.config' because access is denied.

I can get around this particular error by doing this:

• Right click on the application pool in IIS, Choose Advanced Properties. Under ProcessModel->Identity , choose Identity.
• Choose Custom Account
• Switch to using a Custom Domain account, that is an administrator on this machine, as well as the machine where the virtual directory is hosted.
• Restart app pool

The problem is that now my website which looks at the currently logged in user, sees the domain account specified in the apppool instead of the logged in user.

It also seems a bit pointless setting NTFS permissions on my application folders if I am then going to override it with a domain admin account in the apppool anyway.

Any suggestions?

Your changes to IIS related permissions and user rights, cannot go beyond any of the default settings, support.microsoft.com/en-us/help/981949/… Microsoft designs IIS that way, and to be secure. So you cannot use your own judgement as "security improvements".

I was trying to follow some of the things from here: adminspeak.wordpress.com/tag/iis-7-5-best-practices

A non-Microsoft source can contain trivial mistakes (and tons of the issues come from such low quality posts). When in doubt, search from Microsoft KB articles or TechNet materials first.

I'll try. However sometimes the Microsoft documentation can be extremely confusing.

A commercial user of Microsoft products should consider opening support cases via support.microsoft.com when confusion happens. But in your case, hire a security expert or a security firm would be a better option to protect your assets.

It's more to do with there being so many KB articles that cover similar topics. It's not easy to identify which is applicable and I often haven't got sufficient time to spend investigating or testing properly. I have a number of responsibilities at any one time and usually, no external resource to rely on but deadlines to hit and users to satisfy. I get where you're coming from though.

This does not provide an answer to the question. Once you have sufficient reputation you will be able to comment on any post; instead, provide answers that don't require clarification from the asker. - From Review