Securing IIS

Internet Information Services (IIS) uses application pools to coordinate the identity of the website that is running on the server.

For Cherwell® applications, only one application pool is allowed per virtual directory. Application pools cannot be shared across virtual directories.

To confirm your IIS configuration:

  1. To verify how an IIS application pool is used for Cherwell applications, open the Windows IIS Manager and view the connection information.
  2. To check if a virtual directory has a specific application pool assigned, right-click the virtual directory, select Manage Application > Advanced Settings, and view the Application Pool value. Close the window.
  3. To verify the identity of the application pool, right-click the name of the application pool in the Connections pane, and select Advanced Settings. If configured, ApplicationPoolIdentity is listed as the identity of the application pool. The ApplicationPoolIdentity identity is recommended for Cherwell applications running under IIS.
  4. To assign a direct permission to the application pool identity, still in the IIS Manager, right-click the site folder, and then navigate to Edit Permissions > Security > Edit > Add. Search for the local application pool (example: IIS AppPool\CherwellClient). Select the Check Names button to resolve the name.
  5. Use the following information as a reference for assigning security permissions for the CSM Browser Client:
    • Cherwell Application Server
      • Log to file directory: Create, Read, and Write/Modify
      • C:\ProgramData\Trebuchet\Trebuchet.AppServerRecovery.dat: Create, Read, and Write/Modify
      • HKLM\SOFTWARE\Trebuchet\ServerSetup Access: Read
      • General file access: Not applicable
      • Right to act as service: Not applicable
      • Permissions to [Programs]\Cherwell Browser Applications\Portal\dist\Bundles\Portal\css: Not applicable
    • Browser Client
      • Log to file directory: Create, Read, and Write/Modify
      • C:\ProgramData\Trebuchet\Trebuchet.AppServerRecovery.dat: Not applicable
      • HKLM\SOFTWARE\Trebuchet\ServerSetup Access: Read
      • General file access: Not applicable
      • Right to act as service: Not applicable
      • Permissions to [Programs]\Cherwell Browser Applications\Portal\dist\Bundles\Portal\css: Not applicable
    • CSM Portal
      • Log to file directory: Create, Read, and Write/Modify
      • C:\ProgramData\Trebuchet\Trebuchet.AppServerRecovery.dat: Not applicable
      • HKLM\SOFTWARE\Trebuchet\ServerSetup Access: Read
      • General file access: Not applicable
      • Right to act as service: Not applicable
      • Permissions to [Programs]\Cherwell Browser Applications\Portal\dist\Bundles\Portal\css: Create, Read, and Write/Modify
    • Cherwell REST API
      • Log to file directory: Create, Read, and Write/Modify
      • C:\ProgramData\Trebuchet\Trebuchet.AppServerRecovery.dat: Not applicable
      • HKLM\SOFTWARE\Trebuchet\ServerSetup Access: Read
      • General file access: Not applicable
      • Right to act as service: Not applicable
      • Permissions to [Programs]\Cherwell Browser Applications\Portal\dist\Bundles\Portal\css: Not applicable
    • Cherwell Service
      • Log to file directory: Create, Read, and Write/Modify
      • C:\ProgramData\Trebuchet\Trebuchet.AppServerRecovery.dat: Not applicable
      • HKLM\SOFTWARE\Trebuchet\ServerSetup Access: Read
      • General file access: Not applicable
      • Right to act as service: Not applicable
      • Permissions to [Programs]\Cherwell Browser Applications\Portal\dist\Bundles\Portal\css: Not applicable
    • Cherwell Auto-Deploy
      • Log to file directory: Not applicable
      • C:\ProgramData\Trebuchet\Trebuchet.AppServerRecovery.dat: Not applicable
      • HKLM\SOFTWARE\Trebuchet\ServerSetup Access: Not applicable
      • General file access: Not applicable
      • Right to act as service: Not applicable
      • Permissions to [Programs]\Cherwell Browser Applications\Portal\dist\Bundles\Portal\css: Not applicable