I have IIS7 and SQL Express 2008 running on Windows Server 2008. IIS7's application pool that my app belongs to is configured for Network Service account. The SQL Server also uses the same account. I noticed that MS no longer discourages
use of Network Service account for SQL 2008 (as it used to for 2005).
In IIS5 I used to give ASPNET account selected rights to my app's database. With IIS7/SQL 2008 - both using the same Network Service account - giving access rights to the database does not seem to be necessary. All app's running in
the pool that uses Network Service account have full access to all resources in the database.
Is this expected? If yes, what are the risks?
View Complete Post