How to configure a least-privilege account to host your service
Jason Taylor, Prashant Bansode, Carlos Farre, Madhu Sundararajan, Steve Gregersen
Use the following steps to create a least privileged account to host your service:
aspnet_regiis.exe -ga machineName\userName
- Create a Windows account
- Run the following aspnet_regiis.exe command to assign the relevant ASP.NET permissions to the account:
- If your application needs to run in ASP.NET compatibility mode, use the Local Security Policy tool to grant the Windows account the
Deny logon locally user right. This reduces the privileges of the account and prevents anyone logging onto Windows locally with this account. Otherwise, skip this step.
- Use the least privileged account to run your WCF service:
- If your service is hosted in IIS 6.0, use IIS Manager to create an application pool running as an account identity. Use IIS Manager to assign your WCF Service to that application pool.
- If your service is hosted in Windows Service, configure the Windows Service to run using the account identity, the WCF service will run under the security context of the Windows Service.