SQL Server Performance

Run Network Service on SQL Server when used specifically with IIS?

Discussion in 'SQL Server Knowledge Sharing Network (SqlServer-qa' started by satya, Oct 17, 2007.

  1. satya Moderator

    When it comes to databases using a web-farm then using Network Service account is compulsory within the ASP.NET and other resources. So when you have installed Windows server with IIS6 that defaults to using the account “NT Authority/Network Service“ as it's main security account. Though you can change it to use to another account by usingthe Application Pool you see in IIS with an option to change the identity of the main security account for IIS. There are 3 defaults or you can select your own account. Further information on MSDN about How To: Use the Network Service Account to Access Resources in ASP.NET
    So as per the security perspective is it compulsory to change the Network Service or grant relevant permissions on the database server. Refer to the patterns & practices guidelines How To: Create a Service Account for an ASP.NET 2.0 Application confirms to use the Network Service account within your SQL Server but in a secured way. It is easier to use network service, because it can use the SPN of the machine, which is already set up. There are some drawbacks in leaving the account to default settings. Think about mass attach or using a SQLInjection to down your application which uses the Network Service that is compromised by a remote attacker, the attacker now has credentials to read your SQL Server database.
    Also the updated Books Online specifically recommends *not* using the network service account to run SQL Server. For further information on SQL Server security best practices refer to this white paper at http://www.microsoft.com/technet/prodtechnol/sql/2005/sql2005secbestpract.mspx link.
    To see what it is running on the server you can take help of Process Explorer from SysInternals, from http://www.microsoft.com/technet/sysinternals/Security/NewSid.mspx link.

Share This Page