2

Could someone advise on best practice for setting up the Application Pool Identity for the web service under the following scenario

IIS7.5

  1. Web Service requires read/write permission to SQL database
  2. IIS and SQL are on different servers but on the same domain

If ApplicationPoolIdentity is used \$, is added as the SQL user, does this expose our servers to any particular security risks as opposed to adding a new domain user and assigning this user as the application pool identity and giving the user permission on the SQL database?

IIS6

Same scenario but instead using the NetworkService built-in user as the application pool identity. Again, does this expose our servers to any particular security risks as opposed to adding a new domain user?

Thanks

HJM
  • 21
  • 2

2 Answers2

0

Using the AppPool Identity for a remote SQL server essentially means you're giving the AD computer account for the web server access to the SQL database. Because of that, anything else running on the web server in the context of the computer account also has access to the SQL server. You could do a lot worse in terms of security, but an explicitly defined domain account is definitely better since you can make sure the only code using it is your web site.

If managing a domain based account (and its requisite password) is too much hassle and your web server is running on 2008 R2 or Win7, you might be able to use a Managed Service Account which basically gives you the manageability benefits of the AppPool Identity with the security of a domain account.

I haven't personally gotten the chance to play with managed service accounts yet. So I'm not sure if the TechNet documentation has any gaps or caveats. But it's worth a shot if you've got the time and your environment meets all the requirements. They definitely won't work on your IIS6 box though.

Ryan Bolger
  • 16,755
  • 4
  • 42
  • 64
0

using Application pool identity is more secure :-

1-Limits user capability to local only not network or domain so any process run by this user is not allowed to run on any network resource as it is not Domain\username.(more domain secure)

2-Allow NTFS permission for this Application folder only allowing more security for Web app (more local secure)

3-I disagree with Ryan: user account = computer\machine account = group is just SID authenticated and authorized => Domain member computers are also Kerberos principals in the AD, which means that domain controllers have an associated account password hash they can use to authenticate the computer when it comes online. This password is associated with the computer account object

Microsoft says : a problem arose over time as more and more Windows system services started to run as Network Service. This is because services running as Network Service can tamper with other services that run under the same identity. Because IIS worker processes run third-party code by default (Classic ASP, ASP.NET, PHP code), it was time to isolate IIS worker processes from other Windows system services and run IIS worker processes under unique identities. The Windows operating system provides a feature called "virtual accounts" that allows IIS to create a unique identity for each of its application pools.

Mamdouh
  • 1