All geek questions in one place

Using the same application identifier for multiple applications

Is there a best practice for using / reusing accounts as application identifiers in ASP.NET? I recently got a hot discussion about this practice. Separate identifiers are additional overhead, but seem more secure. Am I from the base?

+4
source share
2 answers

I would say that it depends on the scenario.

typically, you need to configure a separate application pool in IIS for each web application that you deploy to the web server, at least in production. It is said that for an Active Directory server that has one account for each application pool you create, no problem.

One of the old good application security rules is to always provide the minimum set of required privileges and nothing more, therefore, if you have application A and App B, you must also have user A and user B, each of which has only rights to use them application (and, ultimately, access some databases, some network drives, etc.).

If you have only user C and grant all rights to this user, an error in application A can then connect and potentially affect application B, since user C has rights to both, if you use application A with user A, this cannot be .

+3
source

There is another way to look at it:

  • Does your application need to implement its own identifiers?

In almost all projects over the past 10 years, we used an identifier that separated from the application, sometimes it is as simple as using Windows Identity users.

With security, avoiding writing code is good. Because code that is not written cannot contain a security error.

+2
source

Source: https://habr.com/ru/post/1383524/

More articles:


All Articles