Post reply

Local Systems Account vs Windows

  • October 5, 2006 at 2:23 pm

    #91792

    In an attempt to make sense of 2072 and 2073 classes I took a year ago, and do some testing outside of work, I built a server with Windows Server 2003 and SQL 2000 SP4 at home.  I read a couple articles on this site that conflict, one says set up SQL to run off of a local account, another says a locked down Windows account.  For my purpose, I have it at home and would only logged into SQL through NT, or the SA account.  I would to set up a user for ASP and ASP.NET pages to access the SQL Server.

    I am looking for any suggestions on how to set up the server as it will be running IIS too, to limit the exposure of the SQL server and any command prompt functionality.  Help, suggestions, laughs...

    Thanks,

    "Life without progression is entropy"
    Sam Jaynes

  • October 6, 2006 at 4:14 am

    #664542

    "run off of a local account, another says a locked down Windows account."

    These are not conflicting recommendations. A windows account can be local or domain - I would choose domain first, but it does depend on your design.

    1 Ensure your connection string specfies Integrated Security=SSPI

    2 Create a Windows domain account.

    3 Run the following Aspnet_regiis.exe command to assign the relevant ASP.NET permissions to the account:

    aspnet_regiis.exe -ga machineName\userName

    4 On Windows 2003, running the Aspnet_regiis.exe -ga command adds the account to the IIS_WPG group. Membership in the IIS_WPG group grants the account the Log on as a batch job permission and ensures that the necessary file system and IIS metabase permissions are granted.

    5 Use the Local Security Policy tool to grant the Windows account the Deny logon locally user right.

    Use IIS Manager to create an application pool running under the new account's identity and assign the ASP.NET application to the pool.

    6 Grant the account access to SQL server

    7 Test it

    This maybe a little technical and lengthy, but it is worth it even if you just pick the sections that are relevant:

    http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnnetsec/html/THCMCh18.asp

Viewing 2 posts - 1 through 1 (of 1 total)

You must be logged in to reply to this topic. Login to reply