Disabling trusted installer in inetpub\wwwroot

Question

1.00/5 (2 votes)

See more:

For windows server hardening, can we delete the trusted installer account from the inetpub\wwwroot folder? What happens when we try to install new packages to inetpub after that

What I have tried:

Since it is a production server and don't have a test server to test this, I am not able to make a decision.

Posted 5-Jun-23 12:31pm

nirmalamari

Updated 6-Jun-23 6:02am

Add a Solution

Comments

Richard Deeming 6-Jun-23 3:41am

What precisely are you trying to do? TrustedInstaller is a system account designed to protect your files. Messing with its permissions is unlikely to increase security on your server.

1 solution

Add a Solution

Add your solution here

Treat my content as plain text, not as HTML

Preview 0

…

Existing Members

Sign in to your account

...or Join us

Download, Vote, Comment, Publish.

Your Email
Password
Forgot your password?

Your Email
This email is in use. Do you need your password?
Optional Password

I have read and agree to the Terms of Service and Privacy Policy
Please subscribe me to the CodeProject newsletters

When answering a question please:

Read the question carefully.
Understand that English isn't everyone's first language so be lenient of bad spelling and grammar.
If a question is poorly phrased then either ask for clarification, ignore it, or edit the question and fix the problem. Insults are not welcome.
Don't tell someone to read the manual. Chances are they have and don't get it. Provide an answer or move on to the next question.

Let's work to help developers, not make them feel stupid.

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

Dave Kreskowiak · Accepted Answer · 2023-06-06T06:02:00

The TrustedInstaller account is used by Windows to install modules, packages, features, updates, and the like. TrustedInstaller is given admin permissions to the root of the IIS applications folder, inetpub. Everything under it inherits that permission from there.

You COULD explicitly remove the TrustedInstaller permissions from your app folder, but you're not really gaining anything in the way of security. The account isn't used by IIS when running applications. What it may be used for is when installing/deploying your web app or updating it, but that's dependent on what needs to be installed for your app. You may not be able to install it without TrustedInstaller permissions being applied to the folder.