Securing IIS
Internet Information Services (IIS) uses application pools to coordinate the identity of the website that is running on the server.
For Cherwell® applications, only one application pool is allowed per virtual directory. Application pools cannot be shared across virtual directories.
To confirm your IIS configuration:
- To verify how an IIS application pool is used for Cherwell applications, open the Windows IIS Manager and view the connection information.
- To check if a virtual directory has a specific application pool assigned, right-click the virtual directory, select Application Pool value. Close the window. , and view the
- To verify the identity of the application pool, right-click the name of the application pool in the Connections pane, and select Advanced Settings. If configured, ApplicationPoolIdentity is listed as the identity of the application pool. The ApplicationPoolIdentity identity is recommended for Cherwell applications running under IIS.
- To assign a direct permission to the application pool identity, still in the IIS Manager, right-click the site folder, and then navigate to Check Names button to resolve the name. . Search for the local application pool (example: IIS AppPool\CherwellClient). Select the
- Use the following information as a reference for assigning security permissions
for the CSM Browser Client:
- Cherwell Application
Server
- Log to file directory: Create, Read, and Write/Modify
- C:\ProgramData\Trebuchet\Trebuchet.AppServerRecovery.dat: Create, Read, and Write/Modify
- HKLM\SOFTWARE\Trebuchet\ServerSetup Access: Read
- General file access: Not applicable
- Right to act as service: Not applicable
- Permissions to [Programx86]\Cherwell Browser Applications\Portal\dist\Bundles\Portal\css: Not applicable
- Browser Client
- Log to file directory: Create, Read, and Write/Modify
- C:\ProgramData\Trebuchet\Trebuchet.AppServerRecovery.dat: Not applicable
- HKLM\SOFTWARE\Trebuchet\ServerSetup Access: Read
- General file access: Not applicable
- Right to act as service: Not applicable
- Permissions to [Programx86]\Cherwell Browser Applications\Portal\dist\Bundles\Portal\css: Not applicable
- CSM Portal
- Log to file directory: Create, Read, and Write/Modify
- C:\ProgramData\Trebuchet\Trebuchet.AppServerRecovery.dat: Not applicable
- HKLM\SOFTWARE\Trebuchet\ServerSetup Access: Read
- General file access: Not applicable
- Right to act as service: Not applicable
- Permissions to [Programx86]\Cherwell Browser Applications\Portal\dist\Bundles\Portal\css: Create, Read, and Write/Modify
- Cherwell REST API
- Log to file directory: Create, Read, and Write/Modify
- C:\ProgramData\Trebuchet\Trebuchet.AppServerRecovery.dat: Not applicable
- HKLM\SOFTWARE\Trebuchet\ServerSetup Access: Read
- General file access: Not applicable
- Right to act as service: Not applicable
- Permissions to [Programx86]\Cherwell Browser Applications\Portal\dist\Bundles\Portal\css: Not applicable
- Cherwell Service
- Log to file directory: Create, Read, and Write/Modify
- C:\ProgramData\Trebuchet\Trebuchet.AppServerRecovery.dat: Not applicable
- HKLM\SOFTWARE\Trebuchet\ServerSetup Access: Read
- General file access: Not applicable
- Right to act as service: Not applicable
- Permissions to [Programx86]\Cherwell Browser Applications\Portal\dist\Bundles\Portal\css: Not applicable
- Cherwell Auto-Deploy
- Log to file directory: Not applicable
- C:\ProgramData\Trebuchet\Trebuchet.AppServerRecovery.dat: Not applicable
- HKLM\SOFTWARE\Trebuchet\ServerSetup Access: Not applicable
- General file access: Not applicable
- Right to act as service: Not applicable
- Permissions to [Programx86]\Cherwell Browser Applications\Portal\dist\Bundles\Portal\css: Not applicable
- Cherwell Application
Server