ASP.NET pages are executed within a process, or Windows program. All Windows programs run with a specific security identity. By default, the ASP.NET process runs under a predefined Windows identity. Alternatively, by configuring your application to use impersonation, you can set ASP.NET to run under a different identity or under the Windows identity of the user making the request.
To improve the security of your ASP.NET applications, you should be sure that the ASP.NET process runs with an identity that has only the minimal permissions required to run your applications. This reduces the vulnerability of resources exposed by ASP.NET, should a security breach occur.
On a Windows 2003 Web server (IIS 6.0), the ASP.NET process runs in the application pool for the Web application. The application pool defines the identity that ASP.NET runs under (by default, the NETWORK SERVICES account). On earlier versions of IIS, (in Windows 2000 and Windows XP Professional), ASP.NET runs in the ASP.NET worker process (aspnet_wp.exe). The identity that ASP.NET runs under is defined by the identity of the aspnet_wp.exe process (by default, the ASPNET account).
To specify the identity for your ASP.NET application on a Windows 2003 server, you use the Internet Information Services (IIS) Manager to configure the identity of the application pool for your ASP.NET application.
To run the ASP.NET worker process with its own account under Windows 2000 or Windows XP Professional, you can apply the following two attributes to the configuration element of the Web server computer's Machine.config file:
The name of the Windows account under which the process will run.
The clear-text password for the account. There are security risks associated with storing clear-text passwords in a configuration file. If you keep credentials in the configuration file, you should encrypt the contents of the configuration element using protected configuration. For more information, see Encrypting Configuration Information Using Protected Configuration. For applications published on the Internet, you should use alternative means of running the application with a specific identity, such as impersonating the anonymous identity supplied by IIS. For more information, see Using IIS Authentication with ASP.NET Impersonation.
The following example shows how to set these attributes in the element of a configuration file to run the worker process under a local user account.
<system.web> <processModel enable="true" userName="LOCALMACHINE\IUSR_ProcessUser" password="%Hco94*#QW12"/> </system.web>
In addition to setting the userName attribute to the name of an existing Windows identity, you can set it to the predefined names System or Machine. The System account runs the worker process with the same identity as Microsoft Internet Information Services (IIS) itself (typically SYSTEM).
It is not recommended that you run your applications under the System account, because the account has elevated privileges and can therefore represent a security risk if the ASP.NET process is compromised.
The Machine account runs the worker process with a special account named ASPNET that has limited permissions. With either identity the process does not have to supply credentials to the operating system.