When creating a new website on a production windows 2008 r2 server which requires connection to SQL Express should I create a custom identity for the application to run under or leave it as NetworkService?
I see that that the IIS application pool advanced settings dialog box recommends that Network Service should be used which is fine but if that is considered the best practice how should I configure the application to connect to a local SQL server Express DB?
If I use Integrated Security to connect to the DB then I need to create a login for NT AUTHORITY\NETWORK SERVICE which doesn't feel correct as I may have other websites hosted using different local DB's. So should I create a SQL account for each website which require DB access then set the username and password in the web config? If that is the best way should I, or can I, encrypt the password in the web config file?
I've been searching on here and I can't seem to find a definitive view. My searches for the relevant info on MSDN/TECHNET and IIS.NET don't seem to be that fruitful so if anyone can link best practices/reference material it would be greatly appreciated.