Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Is it safe to run a pool under NT AUTHORITY\NETWORK SERVICE?

I normally would create a limited rights user and run the process under that but the fact that pools automatically created under IIS7 in 2008 use this account makes me think that this is perfectly safe, and possibly more so than something I create? The whole Secure By Default push from Redmond would lead me to believe this is the case.

like image 807
keithwarren7 Avatar asked Dec 14 '08 23:12

keithwarren7


1 Answers

Yes it is safe. Services and Service Accounts Security Planning Guide

One more thing. It is even better to use the local service account ( not to confuse with local System account! ). It has the same permission on the local server as network service. But does not have network permissions. The network service can access network resources with the permissions of the computer account ( like authenticated user ).

Update 1 ( reply to comment):

As far as I understand. both option will work. Your application code is not running ( by default) under the application pool identity. But under the identity of the user that authenticate to your site. Or, if anonymous user are allowed, the iuser_computername account. The reason that the application pool identity is important, is that you can by code, so attacker that inject his code can too, to change the identity of your application to the application pool identity.

That said, There are further complication that are too numerous to post.

like image 113
Igal Serban Avatar answered Sep 20 '22 00:09

Igal Serban