[英]What account should I use for ASP.NET?
By default ASP.NET uses the network service account, is this the account I should be using with ASP.NET in production? 默认情况下,ASP.NET使用网络服务帐户,这是我应该在生产环境中与ASP.NET一起使用的帐户吗? What are the best practices related to the account used by ASP.NET?
与ASP.NET使用的帐户相关的最佳做法是什么?
Regards 问候
Edit: If this makes any difference, I'll be using ASP.NET on a Windows 2008 server 编辑:如果有什么不同,我将在Windows 2008服务器上使用ASP.NET
For production, you should create a service account that has only the bare minimum permissions in order to run the web application. 对于生产,您应该创建仅具有最低限度权限的服务帐户,以便运行Web应用程序。
The Microsoft Patterns and Practices team provides the following guidance on this: Microsoft模式和实践团队为此提供了以下指导:
How To: Create a Service Account for an ASP.NET 2.0 Application 如何:为ASP.NET 2.0应用程序创建服务帐户
You're gonna get lots of "it depends" answers but here's my 2 cents anyway. 您会得到很多“取决于”答案,但是无论如何这是我的2美分。
Consider password change management, potential damage through compromise, as well as application needs eg trusted connectivity. 考虑密码更改管理,通过折衷可能造成的损害以及应用程序需求,例如可信连接。
In most scenarios Network Service comes out best in these dimensions. 在大多数情况下,网络服务在这些方面都表现最好。
<domain>\\<machinename>$
<domain>\\<machinename>$
访问其他主机 Of course your app may have different needs - but typically we use Network Service wherever possible - we run 10,000's of machines. 当然,您的应用可能有不同的需求-但通常我们会尽可能使用网络服务-我们会运行10,000台计算机。
Unless you have some other need -- like a requirement to use integrated authentication to SQL Server for a database connection -- I would stick with the default account. 除非您有其他需求(例如对数据库连接使用对SQL Server的集成身份验证的需求),否则我会坚持使用默认帐户。 It has fewer privileges than many other accounts, yet is enabled with the necessary privileges to run web applications.
它具有比许多其他帐户更少的特权,但具有运行Web应用程序所需的特权。 Caveat here: we typically don't make any privilege changes for the network service account and usually fire up a VM per production application (or set of related applications) rather than configuring multiple applications per server.
请注意:我们通常不对网络服务帐户进行任何特权更改,并且通常为每个生产应用程序(或一组相关应用程序)启动VM,而不是为每个服务器配置多个应用程序。 If you are running multiple applications per server or make changes to the network service account's privileges for other reasons, you may want to consider using a separate service account for each application.
如果每个服务器运行多个应用程序或由于其他原因更改网络服务帐户的特权,则可能需要考虑为每个应用程序使用单独的服务帐户。 If you do, make sure that this service account has the fewest privileges necessary to run ASP.NET applications and perform any additional tasks required.
如果这样做,请确保此服务帐户具有运行ASP.NET应用程序并执行所需的任何其他任务所需的最少特权。
您应该使用特权级别较低的帐户
1) Create a specific user account for each application 1)为每个应用程序创建一个特定的用户帐户
2) Create an Application Pool that runs under this account 2)创建在此帐户下运行的应用程序池
3) The Website should be configured to run under this Application Pool. 3)网站应配置为在此应用程序池下运行。
4) In SQL Server, use Windows Authentication and give DB permissions to this User. 4)在SQL Server中,使用Windows身份验证并将数据库权限授予该用户。
5) Use this User in a connection string (ie no passwords in connection string) 5)在连接字符串中使用该用户(即连接字符串中没有密码)
6) Use this User to assign permissions to other resources as required. 6)使用此用户可以根据需要向其他资源分配权限。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.