Run Your Service in a Least Privileged Account

- J.D. Meier, Carlos Farre, Jason Taylor, Prashant Bansode, Steve Gregersen, Madhu Sundararajan, Rob Boucher

If you are hosting your WCF service in a Windows service or in IIS, run your service using a least privileged service account. IIS by default is run under the ASPNET (in IIS5) or NetworkService account (in IIS6).

By using a custom domain account, you can audit and authorize your service individually, and your service is protected from changes made to the privileges and permissions within the System account. Configure your account to use the least privileges necessary to allow your service to run. This will reduce attack surface and constrain the impact of malicious attack.

The following steps outline how to use a least privileged custom domain account:
  1. Create a Windows account.
  2. Run the following aspnet_regiis.exe command to assign the relevant ASP.NET permissions to the account:
aspnet_regiis.exe -ga machineName\userName
Note: This step is needed only if your application needs to run in ASP.NET compatibility mode
  1. Use the Local Security Policy tool to grant the Windows account the Deny logon locally user right. This reduces the privileges of the account and prevents anyone logging onto Windows locally with this account.
  2. If your service is hosted in Windows Service, configure the Windows Service to run using the account identity, the WCF service will run under the security context of the Windows Service.
  3. If your service is hosted in IIS 6.0, use IIS Manager to create an application pool running as an account identity. Use IIS Manager to assign your WCF Service to that application pool.

Additional Resources

Last edited Jun 12, 2008 at 9:28 PM by prashantbansode, version 1

Comments

No comments yet.