Securing a server application

Question

We have two backend applications, one that is reponsible for acquiring data from the internet and storing it in a database, and the other that is effectively a COMET server, accepting connections from the internet, hooked into the http pipeline via the HttpListener API.

In development, both these items have been created as console applications that are started manually under an admin account. Obviously, this is unsatisfactory from a security POV.

When we move to production, both these applications will be ported to run as Windows services using ServiceBase.Run and provided as installers for installation on the deployment platform.

As somebody who knows very little about Windows security, ACLs and the like, I would like to know what steps I can take to secure these applications (such as have them run in an account of lowest necessary privilege) and how one would create an installer that sets up the necessary service accounts and privileges for these accounts.

To be clear, I am not asking how to make a service installer - we have this already, but rather what steps are required to make the service installer actually install the service under a low privilege account with rights only to the minimum resources required to get the job done. Part of the answer would be how to allow the service account access to the Http pipeline.

EDIT: We can probably use a custom action with code from here for the http pipeline reservation.

Are there any other steps one might take to shore up the security of such applications?

TIA

Answer 1

I hope these articles will help you :
Designing Applications to Run at a Low Integrity Level
Defend Your Code with Top Ten Security Tips Every Developer Must Know
CLR security
Security Fundamentals
Managing Directory Security Principals in the .NET Framework 3.5
Building A Custom Security Token Service