Should I impersonate PHP via FastCGI?

13 months later, I wanted to revisit my own question. In that time I have transferred a half dozen websites from IIS 6 to IIS 7.5 and configured them with my preferred method. All I can say is that the websites work, they haven't had any security issues (not that these are popular sites), and in my opinion the setup is more secure than what learn.iis.net recommends.

For posterity, here are the relevant settings. In the PHP INI:

cgi.force_redirect = 0
cgi.fix_pathinfo=1
fastcgi.impersonate = 0

In IIS:

  • Application Pool > Identity > ApplicationPoolIdentity
  • Website > Authentication > Anonymous Authentication > Specific User: IUSR

The NTFS permissions and where to apply them:

  • IUSR - Grant Read, Deny Write
    • The root directory of the IIS website. For example, in a Zend Framework project this would be the /public directory.
    • If your application uploads files and saves them in a public directory, you need to apply this permission to the temporary upload directory. This is because move_uploaded_file will preserve the permissions of the upload directory. This is the biggest drawback of this permissions setup that I've found.
  • ApplicationPoolIdentity (IIS AppPool\<<YourApplicationPoolName>>) - Grant Read & List
    • The root of your PHP application. For example, in a Zend Framework project this would be the entire project.
    • Any external libraries (Zend, Doctrine, etc.) included by your application that are not in the application folder.
  • ApplicationPoolIdentity - Grant Modify
    • Any location where your application will write such as upload_tmp_dir, session.save_path, and error_log.
    • Sometimes I need to add this permission to the root of the PHP application in my development environment to support things like Doctrine's auto-generation of proxies.
  • ApplicationPoolIdentity - Grant List
    • If your application is in a virtual directory, you will need to add this permission to the root of the website. This allows your application to read its parent web.config. For example, if your application root is http://example.com/MyPHPApp, set this permission on the example.com web directory. Specifically you only need to apply to "This folder and files", "within this container only".

I hope this helps anyone else who decides that the learn.iis.net instructions are not ideal.