Improving Web Application Security: Threats and - CGISecurity

Chapter 19: Securing Your ASP.NET Application and Web Services 579RegistryAny registry key that your application accesses must have an ACE in the ACL thatgrants, at minimum, read access to the ASP.NET process account or impersonatedidentity.Data AccessTo access a remote database using Windows authentication from your ASP.NETapplication, you have the following options:● Use the default ASP.NET process account. Use the default ASP.NET processaccount by creating a mirrored account with the same user name and password onthe database server. On Windows 2000, the default process account is ASPNET.On Windows Server 2003, the default process account is NetworkService.The disadvantage of using local accounts is that if you can dump the SAMdatabase, which requires administration privileges, then you can access thecredentials. The main advantage is that local accounts can be scoped to specificservers, which is difficult to achieve using domain accounts.● Use a least privileged domain account to run ASP.NET. This approach simplifiesadministration, and it means that you do not need to synchronize the passwordsof mirrored accounts. It will not work if the Web server and database server are inseparate non-trusting domains, or if a firewall separates the two servers and thefirewall does not permit the necessary ports for Windows authentication.●Impersonate the Anonymous Web account. If you are using Forms or Passportauthentication, you can impersonate the anonymous Web account(IUSR_MACHINE by default) and create a mirrored account on the databaseserver. This approach is useful in scenarios where you host multiple Webapplications on the same Web server. You can use IIS to configure eachapplication’s virtual directory with a different anonymous account.On Windows Server 2003, you can run multiple applications in separate workerprocesses, using IIS 6.0 application pools and configuring a separate identity foreach one.Configuring Data Access for Your ASP.NET ApplicationWhichever approach you use, restrict the application’s account in the database.To do this, create a SQL Server login for the account, grant it access to the requireddatabase, and restrict its permissions so that it only has access to the minimumrequired database objects. Ideally, you should restrict permissions so that the loginhas access only to the stored procedures used by your application or Web service.The following procedure assumes that you are using a mirrored local account, butyou can use the same approach with a domain account to restrict the account’scapabilities in the database.