If you are hosting your service in IIS, use a least privileged service account
Jason Taylor, Prashant Bansode, Carlos Farre, Madhu Sundararajan, Steve Gregersen
If you are hosting your WCF service in IIS, use a least privileged service account to run IIS. IIS by default is run under the ASPNET (in IIS5) or NetworkService account (in IIS6). Consider using a lesser privileged account such as a custom service account
in a production environment.
By using a custom service account, you can audit and authorize your service individually, and your service is protected from changes made to the privileges and permissions within the default account.
- Create a Windows account
- Run the following aspnet_regiis.exe command to assign the relevant ASP.NET permissions to the account:
aspnet_regiis.exe -ga machineName\userName
Note: This step is needed only if, your application needs to run in ASP.NET compatibility mode
- Use the Local Security Policy tool to grant the Windows account the Deny logon locally user right. This reduces the privileges of the account and prevents anyone logging onto Windows locally with this account.
- If your service is hosted in IIS 6.0, use IIS Manager to create an application pool running as an account identity. Use IIS Manager to assign your WCF Service to that application pool.