If you are hosting your service in a Windows Service, use a least privileged custom domain account
Jason Taylor, Prashant Bansode, Carlos Farre, Madhu Sundararajan, Steve Gregersen
In a production environment, if you are hosting your WCF service in a Windows service, run your service using a custom domain account.
By using a custom domain account, you can audit and authorize your service individually, and your service is protected from changes made to the privileges and permissions within the System account. Configure your custom domain account to use the least privileges
necessary to allow your service to run. This will reduce attack surface and constrain the impact of malicious attack.
The following steps outline how to use a least privileged custom domain account:
- Create a Windows account
- Run the following aspnet_regiis.exe command to assign the relevant ASP.NET permissions to the account:
aspnet_regiis.exe -ga machineName\userName
Note: This step is needed only if, your application needs to run in ASP.NET compatibility mode
- Use the Local Security Policy tool to grant the Windows account the Deny logon locally user right. This reduces the privileges of the account and prevents anyone logging onto Windows locally with this account.
- If your service is hosted in Windows Service, configure the Windows Service to run using the account identity, the WCF service will run under the security context of the Windows Service.