When using integrated security should I use the default apppool

Question

I just read something that said it's much better to use integrated security here on SO, so I've switched all my connection strings over.

The error I get is "Login failed for user 'IIS APPPOOL\DefaultAppPool'."

Before I go ahead and grant this user permission, I wanted to ensure that it was the correct thing to do and I wasn't inadvertently opening the floodgates of hacker hell.

Should I grant this app pool permission to access my SQL or should I create a new app pool?

I'm writing WCF services in .NET 4.5

Answer 1

Do you have other sites or services on the server that use this app pool and could potentially provide a security risk for database access? If yes, create a new app pool. Do you have another site that might cause the app pool process to crash, or might have a memory leak (thus affecting other sites in the same app pool)? If yes, create a new app pool.

Other than slightly more memory usage, app pool isolation really doesn't have any serious downsides. Microsoft "generally" recommends it (although this article is about SharePoint setup, the app pool / database access concept is the same):

You need to establish which Application Pool in IIS is going to be used by the IIS Web Site. Application Pools in IIS access resources on behalf of the Web Site using an account identity that you specify. This Application Pool will be used by the web application to access its content database. Generally, you’ll want to create a new one to keep it separate from the existing Application Pools.

See this thread for some additional discussion of the pros and cons of separate app pools per site.