How to control database permissions for website running under NETWORK SERVICE?

Question

I've a web app which runs in an IIS AppPool under NT AUTHORITY\NETWORK SERVICE account. WebApp connects to a SQL Server 2008 R2 db with Integrated Security = True;

When I run SQL Profiler, while operating the site, I can see it logins using NT AUTHORITY\NETWORK SERVICE.

But I do not see a corresponding login under Security > Logins.

My Questions are:

• To which SQL Server Login, NT AUTHORITY\NETWORK SERVICE is mapped to?
• How do I control permissions for NETWORK SERVICE?
• Is it a good practice to lower the permissions for NETWORK SERVICE account in SQL SERVER?

Answer 1

NT AUTHORITY\NETWORK SERVICE is not mapped in Sql Server. You have to do it by yourself. Network Service impersonates the computer account when trying to connect to an off-box resource. Granting permissions to DOMAIN\Servername$ does generally work.

Once the Sql Server mapping is created, you control permissions as for every others accounts. It's pretty the same.

Personnaly, I think it's not a good practice to mix integrated security & network service because it's a built-in account. It's probably ok for a lot of environments but you don't have a high degree of security. For example, if many web sites accessing the db are deployed in a Web Farm, you will completely loose control of permissions. It's also painfull to manage.

You have two options to avoid this :

• Use a sql authentication

This is relatively insecure. A disgruntled ex-employee could use the information maliciously, a visitor might see the code up on a screen somewhere or the source code might accidentally get out in the wild.

• Change application pool identity.

Simply create/reuse a separate Windows Account, grant it the minimum access it needs in SQL Server, and then change the application to run under the context of this new account. Read more here.