Hello,
We are running a PHP-based website under the standard App Pool configuration. We have granted +w permissions to the 'IUSR' security principle on certain files that need +w access, which works very well.
We also have a set of nighly batch tasks that we must execute. However, I am struggling to identify the correct security configuration to allow these nightly tasks to run without compromising security of the server.
The nightly tasks are PHP CLI scripts - they are not accessible from the web (nor should they be - it's a hacky solution, and opens a potential attack vector). On our linux boxes, we have a crontab for the webserver user (www-data, or similar user for separate sites), so the batch task executes as the same user as the webserver. The account is very limited, and only has +w permissions for a small number of files.
We are using the Windows Task Scheduler to setup our PHP CLI scripts. However, we cannot use the 'IUSR' account, nor can we specify the explicit Application Pool Identity for running the task. We are only presented with a list of 'normal' accounts, and some other built-in accounts (e.g. NETWORK SERVICE). As per our Linux setup, we would expect to run the task as the webserver user - but this seems impossible on Windows with AppPoolIdentity users.
Does anyone else have a similar configuration? Are these any suggestions as to which user should run the task?
Thanks,