I am supposed to harden web applications we have developed in our company.I decided to create separate application pool for each web site for this purpose. My question is whether using Application pool identity is more secure or using a separate local/domain accounts for each application pool?
1 Answers
The reason for using an App Pool Identity is purely a matter of security. There is another name for this in Windows - they're also called "virtual accounts."
The 'network service' and especially 'local machine' accounts have too much privilege by default. Local Machine has unrestricted access to the entire system, and Network Service has the ability to muck around with other Windows services that are also running as Network Service. The app pool identity, and virtual accounts in general, are just a straight-forward mechanism by which you can assign only the bare minimum rights necessary to the service and not a drop more. It also helps keep things straight from an ACL and audit perspective because you would have a hard time tracking down which "Network Service" performed some action on the machine, etc.
- 55,011
- 9
- 138
- 197