A reader asked me this question today (specifically in regards to SQL Server and IIS). He said that he found some advice in the patterns & practices guidelines (How To: Create a Service Account for an ASP.NET 2.0 Application) that seemed to indicate that it would be OK to use the Network Service account in production Here was my response to him - I thought other readers might be interested in this, and I'm sure some of you may have comments to expand on this:
It is easier to use network service, because it can use the SPN of the machine, which is already set up. There are some drawbacks, of course.
One is that the more stuff you run as Network Service (NS), the more privilege it starts to gain. For example, if one of the OS services that runs as NS is compromised by a remote attacker, the attacker now has credentials to read your SQL Server database (if that's also running as NS).
The principal of least privilege would dictate that each service have its own account, to isolate the resources that the service needs so that other services can't use those resources without explicitly being granted access.
Another drawback is that on the network, NS is represented using the machine account SID. This SID changes anytime you repave the machine (perhaps there's a way to reset it back, but I've not explored this). So while adding machines to groups is possible for authorization purposes, it can get messy if the machine SID changes (you'll need to update all of those group memberships). This problem doesn't exist for a user account.
Posted
Aug 16 2007, 08:14 AM
by
keith-brown