ASP.NET Process Identity
For additional security, the ASP.NET application worker process (aspnet_wp.exe) runs using an account (ASPNET) with weaker privileges than the Local System account. By doing so, an intruder will not have administrative access if security is breached. This is because the Local System account has access to almost all resources on the local computer not specifically denied to it.
To run the worker process using a specified account, modify the <processModel> element in the root configuration file (machine.config), located in the \%windows%\Microsoft.NET\Framework\Version\Config folder, as shown below:
<!-- machine.config file --> <system.web> <processModel enable="true" userName="domain\user" password="password" /> </system.web>
In addition to specifying a particular user account, you can also set the userName attribute to one of two specially recognized values, "SYSTEM" and "MACHINE". In both cases, you should set the password attribute to "AutoGenerate", which instructs Windows to manage the password. The default userName setting is "MACHINE", which is the worker process that uses a local account named ASPNET. This account is similar to the IWAM_machinename account used by Internet Information Services (IIS) for running instances of dllhost.exe when hosting applications built using ASP 3.0 and earlier. If you specify "SYSTEM", the worker process uses the Local System account. The ASPNET account is created during installation of the .NET Framework.
If you use a custom account, that account must have the following necessary access rights:
- Read/write access is required for:
- The %installroot%\ASP.NET Temporary Files directory. Subdirectories beneath this root are used for dynamically compiled output.
- The %temp% directory, which is used by the compilers during dynamic compilation.
- Read access is required for:
- The application directory.
- The %installroot% hierarchy to make it possible to access to system assemblies.
- The Web site root directory (e.g., the path at which the "Default Web Site" points, typically %systemdrive%\inetpub\wwwroot).
- The Global Assembly Cache, %windir%\assembly.