This How To shows you how to create and configure a custom least-privileged service account to run an ASP.NET Web application. By default, an ASP.NET application on Microsoft Windows Server 2003 and IIS 6.0 runs using the built-in Network Service account. In production environments, you usually run your application using a custom service account. By using a custom service account, you can audit and authorize your application separately from others, and your application is protected from any changes made to the privileges or permissions associated with the Network Service account. To use a custom service account, you must configure the account by running the Aspnet_regiis.exe utility with the -ga switch, and then configure your application to run in a custom application pool that uses the custom account’s identity.

By default, an ASP.NET application on Windows Server 2003 and IIS 6.0 runs in the application pool called ASP.NET V2.0. This application pool uses the built-in Network Service account. This account is least privileged, although it does have network credentials which means that you can use it to authenticate against network servers.
The following scenarios may prevent you from using a network service account or a custom domain-level service account:
- Your Web server is not in a domain.
- Your Web server and downstream remote server are in separate domains with no trust relationship.
- Your Web server and downstream remote server are separated by a firewall and you cannot open the ports required for NTLM or Kerberos authentication.

In the above cases you can use mirrored local accounts. With this approach, you use two local accounts with the same user name and password on both servers. Alternatively, you can use SQL authentication, although this is not recommended because it offers weaker security than Windows authentication offers.

By using a custom service account and a dedicated application pool, you gain a number of advantages:
- You help to isolate applications from one another.
- You can establish different access controls for each application on local and remote resources. For example, other applications cannot access your application’s databases if access is restricted to your application’s account.
- You can use Windows auditing to track the activity of the application separately from other applications.
- You ensure that any accidental or deliberate changes to the access controls or permissions associated with the general purpose Network Service account do not affect your application

Download pdf How To: Create a Service Account for an ASP.NET 2.0 Application