My web-app runs in IIS 6.0 under windows server 2003, and we all know that in this situation, user account "Network Service" is used by IIS.
I happen to have to allow certain user to perform some action on my web page, and that action requires administrator privilege.
The laziest solution to me seems to add "Network Service" to Administrators Group, and it actually works.
MY QUESTION is, how DANGEROUS this solution is, and in what way can it compromise the security of my web server?
This is generally "a bad idea". If this is a public facing server then this is a really bad idea.
What you should do, and this is how we approach problems such as this, is sandbox the specific admin tasks you need to carry out in another process such as a Windows service which has elevated rights.
We then host a Remoting Server in the Windows Service and communicate with the service either over a named pipe or TCP/IP (if machine to machine and this is over a back end private network).
For more information, please see this answer which I left for another user regarding a similar problem:
An even better approach would be to never have direct communication between the web application and the windows service, but go through an intermediary such as a job or message queue. Your low privileged application places request for the admin task to be carried out, your elevated privileged service reads these tasks from the queue and carries them out.
In both cases you should ensure that you don t overscope the responsibility of each task. i.e. ensure that if the task is to create a new Windows account on the server then don t allow that new account to gain more rights than it needs.
If I were to write some web function that required box-level admin, I would make that it s own application in its own app pool, lock down that application as tightly as I could, give that app pool a named account (a domain resource, if on an Active Directory), and then give that account admin privileges on the box. Keeping it in its own app pool effectively locks it down from your regular application.
NT Authority/Network Service interacts with a ton of stuff on your machine. I cannot come up with any good reason to get Network Service admin privileges.
Under no circumstances do this.
If you add Network Service to admin group, then all anonymous users accessing your Web app will be admins by default and the damage potential is massive.
Per your question
I happen to have to allow certain user to perform some action on my web page, and that action requires administrator privilege.
that s fine - use Windows authentication on that web page and make the user a normal Windows admin. Now they, and all other admins, can perform the tasks you have set up.
In an ASP.NET web app, using Integrated Windows Authentication, is the session tied to the windows identity? In other words, if I login (using IWA) to the app, and the app stores some "stuff" in my ...
Does anyone know if I can use Elmah with Visual Studio build-in web server(aka Cassini)? I get it working easily on IIS, but using same configuration, it doesn t work with Cassini. When I requested ...
I want to set the hostname for a website I m adding in IIS 7, however do I include the www in the hostname or not? because I want both www.mysite.com and mysite.com both to point to mysite on the ...
I m developing an ASP.NET MVC site that utilizes forms authentication for part of the application. During development, I need to be able to give external parties access to a development server hosting ...
I ve run websites out of inetpub, as well as from folders just residing on the C: drive. I wonder, are there any definitive advantages to running websites out of inetputwwwroot?
I am having issues with one of our web-services. It works fine on my development machine (win XP) whether I host it as a separate application or using cassini from Visual studio. Once I deploy on the ...
The following line of PowerShell works with IIS 6 installed: $service = New-Object System.DirectoryServices.DirectoryEntry("IIS://localhost/W3SVC") However, with IIS 7 it throws the following error ...
Recently my ISP switched our website to an IIS7.0 high availibility cluster. The website is running on PHP5.2.1 and I can only upload files (so no registry tweaks). I had tested the website before and ...
