'Re: Application Pool - Service Account Permissions'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       security-basics
Subject:    Re: Application Pool - Service Account Permissions
From:       krymson () gmail ! com
Date:       2011-07-21 17:57:52
Message-ID: 201107211757.p6LHvq47025026 () sf01web2 ! securityfocus ! com
[Download RAW message or body]

That is indeed a high risk. I'm not sure if they apply to IIS 7.5/Server 2008, but \
there have been recent .NET patches from Microsoft that fix issues where malicious \
code can take over that app pool account, especially if you allow users to upload \
content into a web-executable location.

Almost certainly, giving local admin rights is the poor (or time-starved) man's \
solution to, "My app isn't running because of a permissions problem." It certainly is \
correct to open up with a test under local admin rights, but to stop there is a \
travesty. More than likely the account just needs a few 'read' and maybe (if you're \
unlucky) some 'modify' rights on various local locations on the server. Some time \
taken during testing to have a sys admin watch execution using Filemon should reveal \
any needs.

Since you're using the same account across a few systems, perhaps this gets a bit \
hairy. I'm not sure the whole "dmz web farm" and "internal web farm" separation is \
strictly adhered to these days. Often you get the web (IIS 7.5) and app (app pool) \
"separated" but really just running on the same box.

It is certainly possible it does need high rights, if it is so poorly written and \
relies on way more things on the server than it should, but the app owner should \
still know every specific reason why. 

Also, hopefully your developers don't have access to that service account password! 


<- snip ->
Hi Folks,

Just wants to see what your thoughts were on an 2008R2 IIS7.5 application
pool identity user having local administrative privileges for a complex
internet facing .net web application? I was always taught that this is
high risk, but maybe things have changed. The basic setup is supposed to
be this. A front end (dmz zone) web farm, back end (trust zone) web farm ,
all connected to the same domain, using the same domain service account
that will need to be in the local administrators group on all the servers.
I have a feeling the application can be coded differently and I don't have
a real answer yet to why it needs to be this way.

Anyone have any thoughts?

Thanks in advance!!

------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL \
certificate.  We look at how SSL works, how it benefits your company and how your \
customers can tell if a site is secure. You will find out how to test, purchase, \
install and use a thawte Digital Certificate on your Apache web server. Throughout, \
best practices for set-up are highlighted to help you ensure efficient ongoing \
management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------


[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic