What account should I use for ASP.NET?

By default ASP.NET uses the network service account,开发者_开发知识库 is this the account I should be using with ASP.NET in production? What are the best practices related to the account used by ASP.NET?

Regards

Edit: If this makes any difference, I'll be using ASP.NET on a Windows 2008 server

For production, you should create a service account that has only the bare minimum permissions in order to run the web application.

The Microsoft Patterns and Practices team provides the following guidance on this:

How To: Create a Service Account for an ASP.NET 2.0 Application

You're gonna get lots of "it depends" answers but here's my 2 cents anyway.

Consider password change management, potential damage through compromise, as well as application needs e.g. trusted connectivity.

In most scenarios Network Service comes out best in these dimensions.

1. it doesn't have a password, and never expires - no change management required
2. it cannot be used as interactive login on other machines
3. it can be used in trusted connections and ACL'd access to other hosts via the credential <domain>\<machinename>$

Of course your app may have different needs - but typically we use Network Service wherever possible - we run 10,000's of machines.

Unless you have some other need -- like a requirement to use integrated authentication to SQL Server for a database connection -- I would stick with the default account. It has fewer privileges than many other accounts, yet is enabled with the necessary privileges to run web applications. Caveat here: we typically don't make any privilege changes for the network service account and usually fire up a VM per production application (or set of related applications) rather than configuring multiple applications per server. If you are running multiple applications per server or make changes to the network service account's privileges for other reasons, you may want to consider using a separate service account for each application. If you do, make sure that this service account has the fewest privileges necessary to run ASP.NET applications and perform any additional tasks required.

You should use a lesser privileged account possible

1) Create a specific user account for each application

2) Create an Application Pool that runs under this account

3) The Website should be configured to run under this Application Pool.

4) In SQL Server, use Windows Authentication and give DB permissions to this User.

5) Use this User in a connection string (ie no passwords in connection string)

6) Use this User to assign permissions to other resources as required.