Adding "Network Service" Account to Administrators Group

Question

My web-app runs in IIS 6.0 under windows server 2003, and we all know that in this situation, user account "Network Service" is used by IIS.

I happen to have to allow certain user to perform some action on my web page, and that action requires administrator privilege.

The laziest solution to me seems to add "Network Service" to Administrators Group, and it actually works.

MY QUESTION is, how DANGEROUS this solution is, and in what way can it compromise the security of my web server?

Answer 1

This is generally "a bad idea". If this is a public facing server then this is a really bad idea.

What you should do, and this is how we approach problems such as this, is sandbox the specific admin tasks you need to carry out in another process such as a Windows service which has elevated rights.

We then host a Remoting Server in the Windows Service and communicate with the service either over a named pipe or TCP/IP (if machine to machine and this is over a back end private network).

For more information, please see this answer which I left for another user regarding a similar problem:

Windows User Account that executes only IIS7 Provisions

An even better approach would be to never have direct communication between the web application and the windows service, but go through an intermediary such as a job or message queue. Your low privileged application places request for the admin task to be carried out, your elevated privileged service reads these tasks from the queue and carries them out.

In both cases you should ensure that you don't overscope the responsibility of each task. i.e. ensure that if the task is to create a new Windows account on the server then don't allow that new account to gain more rights than it needs.