Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Adding "Network Service" Account to Administrators Group

My web-app runs in IIS 6.0 under windows server 2003, and we all know that in this situation, user account "Network Service" is used by IIS.

I happen to have to allow certain user to perform some action on my web page, and that action requires administrator privilege.

The laziest solution to me seems to add "Network Service" to Administrators Group, and it actually works.

MY QUESTION is, how DANGEROUS this solution is, and in what way can it compromise the security of my web server?

like image 790
Zhiguang Wang Avatar asked Feb 09 '10 02:02

Zhiguang Wang


People also ask

How do I add a service account to the local admin group?

In the Computer Management windows, expand Local Users and Groups and select Groups. Double click on Administrators group. In the Administrators Properties, click Add... In the Select Users, Computers, Service Accounts, or Groups windows, type the account you want to add to Local Administrator group and then click OK.

What is NetworkService account?

The NetworkService account is a predefined local account used by the service control manager. This account is not recognized by the security subsystem, so you cannot specify its name in a call to the LookupAccountName function. It has minimum privileges on the local computer and acts as the computer on the network.


1 Answers

This is generally "a bad idea". If this is a public facing server then this is a really bad idea.

What you should do, and this is how we approach problems such as this, is sandbox the specific admin tasks you need to carry out in another process such as a Windows service which has elevated rights.

We then host a Remoting Server in the Windows Service and communicate with the service either over a named pipe or TCP/IP (if machine to machine and this is over a back end private network).

For more information, please see this answer which I left for another user regarding a similar problem:

Windows User Account that executes only IIS7 Provisions

An even better approach would be to never have direct communication between the web application and the windows service, but go through an intermediary such as a job or message queue. Your low privileged application places request for the admin task to be carried out, your elevated privileged service reads these tasks from the queue and carries them out.

In both cases you should ensure that you don't overscope the responsibility of each task. i.e. ensure that if the task is to create a new Windows account on the server then don't allow that new account to gain more rights than it needs.

like image 199
Kev Avatar answered Sep 26 '22 01:09

Kev