I am installing the latest version of PHP onto IIS 7.5 via FastCGI, and all of the instructions say that FastCGI should impersonate the calling client by setting
fastcgi.impersonate = 1
If my website will have this configuration
- dedicated application pool
- application pool identity of ApplicationPoolIdentity
- anonymous authentication only (as IUSR)
why do I want to impersonate?
I come from an ASP.NET background, where the IUSR gets read-only permissions and the application pool identity gets any write permissions. Giving write access to the IUSR usually opens the door for WebDAV vulnerabilities. So I hesitate to let PHP run as the IUSR.
I can't find many people asking this question (1 | 2) so I think I must be missing something. Can someone clarify this for me?