views:

74

answers:

5

By default ASP.NET uses the network service account, is this the account I should be using with ASP.NET in production? What are the best practices related to the account used by ASP.NET?

Regards

Edit: If this makes any difference, I'll be using ASP.NET on a Windows 2008 server

+3  A: 

For production, you should create a service account that has only the bare minimum permissions in order to run the web application.

The Microsoft Patterns and Practices team provides the following guidance on this:

How To: Create a Service Account for an ASP.NET 2.0 Application

Daniel Robinson
Thanks a lot ...
123
I think this resource is pretty dated now and doesn't reflect industry practices such as frequent enforced password changes very well - Custom User accounts are a huge risk to application availability in such environments.
stephbu
Cool, okay what's a better resource then?
Daniel Robinson
stephbu
@stephbu Yeah your answer (and the other answers here) are also correct, depending on the situation. If you are in an enterprise situation you have to think carefully the management of service accounts, etc.
Daniel Robinson
A: 

You should use a lesser privileged account possible

Rubens Farias
A: 

1) Create a specific user account for each application

2) Create an Application Pool that runs under this account

3) The Website should be configured to run under this Application Pool.

4) In SQL Server, use Windows Authentication and give DB permissions to this User.

5) Use this User in a connection string (ie no passwords in connection string)

6) Use this User to assign permissions to other resources as required.

Mark Redman
+1  A: 

Unless you have some other need -- like a requirement to use integrated authentication to SQL Server for a database connection -- I would stick with the default account. It has fewer privileges than many other accounts, yet is enabled with the necessary privileges to run web applications. Caveat here: we typically don't make any privilege changes for the network service account and usually fire up a VM per production application (or set of related applications) rather than configuring multiple applications per server. If you are running multiple applications per server or make changes to the network service account's privileges for other reasons, you may want to consider using a separate service account for each application. If you do, make sure that this service account has the fewest privileges necessary to run ASP.NET applications and perform any additional tasks required.

tvanfosson
Totally agree @tvanfosson, we usually only run one role per server to keep security simple. Makes it easy to troubleshoot, and typically at worst just reimage if things go amuck.
stephbu
+2  A: 

You're gonna get lots of "it depends" answers but here's my 2 cents anyway.

Consider password change management, potential damage through compromise, as well as application needs e.g. trusted connectivity.

In most scenarios Network Service comes out best in these dimensions.

  1. it doesn't have a password, and never expires - no change management required
  2. it cannot be used as interactive login on other machines
  3. it can be used in trusted connections and ACL'd access to other hosts via the credential <domain>\<machinename>$

Of course your app may have different needs - but typically we use Network Service wherever possible - we run 10,000's of machines.

stephbu