Improving Web Application Security: Threats and - CGISecurity

Chapter 22: Deployment Review 663The identity under which the ASP.NET worker process runs is controlled by settingson the element in Machine.config. The following review questionshelp verify your process identity settings:● What identity do you use to run ASP.NET?Check the userName and password attributes. Ideally, you use the followingconfiguration that results in the ASP.NET process running under the leastprivileged ASPNET account.●Do you encrypt the credentials?If you use a custom account, make sure that the account credentials are notspecified in plaintext in Machine.config. Make sure the Aspnet_setreg.exe utilityhas been used to store encrypted credentials in the registry. If this has been used,the userName and password attributes look similar to the settings shown below:●Do you use a least privileged account?The default ASPNET account is a least privileged local account designed to runASP.NET. To use it for remote resource access, you need to create a duplicateaccount on the remote server. Alternatively, you can create a least privilegeddomain account.Check that the account is not a member of the Users group, and view the userrights assignment in the Local Security Policy tool to confirm it is not granted anyextended or unnecessary user rights. Make sure it is not granted the “Act as partof the operating system” user right.Web ServicesThe goal for this phase of the review is to identify vulnerabilities in the configurationof your Web services. For further background information about the issues raised bythe review questions in this section, see Chapter 17, “Securing Your ApplicationServer,” and Chapter 19, “Securing Your ASP.NET Applications and Web Services.”