1

We have some Web Apps running in IIS 6. They are running in the Default AppPool which identitiy is Network Service.

The Apps connect to a local SQL Server 2005 Express Instance (SP2) and use a trusted connection. SQL Server runs also with Network Service identity.

Without granting explicit permissions, our webapps are able to query the DB.

How can this happen and which permissions does our app effectively have?

Improve this question

3 Answers 3

Reset to default
1

Some thought:

  • Does the SQL Server Express instance service run under Network Service, so has sysadmin rights?
  • Is the Network Service in the local admin group, so has sysadmin rights?
  • Is the Network Service account added to SQL Server as a login?
Improve this answer
5
  • Yes, the instance is running as Network Service. The Network Service account is added as login. Does this mean, that any application running as Network Service has sysadmin rights? Commented Jun 9, 2009 at 11:30
  • Yes, because the servie account used must be sysadmin Commented Jun 9, 2009 at 11:44
  • I think we should switch to different accounts for both, the sql server and the IIS application pool. Commented Jun 9, 2009 at 11:47
  • After removing the Network Service from the logins we can still connect to the db?! Weird. Commented Jun 9, 2009 at 12:04
  • You'd need to check all SQL Server logins, groups and membership to find out why. I guess the permission path is via another group now Commented Jun 9, 2009 at 12:52
1

This once again reinforces the case for not using the NETWORK SERVICE account for running SQL Server as you don't know what other services you are sharing the account with.

It would be best if you configured SQL Server to run under some other account. Special local account for SQL Server service works best - you can then use it to grant extra permissions to SQL Server, in case they are needed.

If after configuring SQL Server to run under different account and removing NETWORK SERVICE from logins you can still connect from IIS, then run this query while connected from IIS:

select * from sys.login_token

Then look for the WINDOWS GROUPS and WINDOWS LOGIN that have non-zero value in principal_id column. That group or login is how your IIS can connect to SQL Sever.

Improve this answer
1
  • Good point! Will give this query a try. Commented Jul 23, 2009 at 8:58
0

Maybe the permissions were granted to the IIS_WPG group on SQL Server? By default, the Network Service account (NTAUTHORITY\NETWORK SERVICE) is a member of this group.

Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.