Adding "Network Service" Account to Administrators Group
Asked Answered
P

3

7

My web-app runs in IIS 6.0 under windows server 2003, and we all know that in this situation, user account "Network Service" is used by IIS.

I happen to have to allow certain user to perform some action on my web page, and that action requires administrator privilege.

The laziest solution to me seems to add "Network Service" to Administrators Group, and it actually works.

MY QUESTION is, how DANGEROUS this solution is, and in what way can it compromise the security of my web server?

Persis answered 9/2, 2010 at 2:53 Comment(1)
There might be a couple of things you can do that are more dangerous than that. But I doubt it.Jessikajessup
J
6

This is generally "a bad idea". If this is a public facing server then this is a really bad idea.

What you should do, and this is how we approach problems such as this, is sandbox the specific admin tasks you need to carry out in another process such as a Windows service which has elevated rights.

We then host a Remoting Server in the Windows Service and communicate with the service either over a named pipe or TCP/IP (if machine to machine and this is over a back end private network).

For more information, please see this answer which I left for another user regarding a similar problem:

Windows User Account that executes only IIS7 Provisions

An even better approach would be to never have direct communication between the web application and the windows service, but go through an intermediary such as a job or message queue. Your low privileged application places request for the admin task to be carried out, your elevated privileged service reads these tasks from the queue and carries them out.

In both cases you should ensure that you don't overscope the responsibility of each task. i.e. ensure that if the task is to create a new Windows account on the server then don't allow that new account to gain more rights than it needs.

Jorin answered 9/2, 2010 at 5:30 Comment(0)
B
2

If I were to write some web function that required box-level admin, I would make that it's own application in its own app pool, lock down that application as tightly as I could, give that app pool a named account (a domain resource, if on an Active Directory), and then give that account admin privileges on the box. Keeping it in its own app pool effectively locks it down from your regular application.

NT Authority/Network Service interacts with a ton of stuff on your machine. I cannot come up with any good reason to get Network Service admin privileges.

Brandeebranden answered 9/2, 2010 at 3:0 Comment(0)
C
1

Under no circumstances do this.

If you add Network Service to admin group, then all anonymous users accessing your Web app will be admins by default and the damage potential is massive.

Per your question

I happen to have to allow certain user to perform some action on my web page, and that action requires administrator privilege.

that's fine - use Windows authentication on that web page and make the user a normal Windows admin. Now they, and all other admins, can perform the tasks you have set up.

Cristincristina answered 11/2, 2010 at 22:38 Comment(0)

© 2022 - 2024 — McMap. All rights reserved.