ASPNET User ID - Newbie ?'s, apologies

[John]

Sorry for the newbie questions but after looking over
this and other newsgroups I haven't come across the
answers:

I'm trying to determine how I got a User ID = ASPNET with
"user" privilages on my Win2K desktop. What it's there
for and what would happen if I deleted or disabled the
account. Can anyone point me to some direct reading
material on this - or provide a simple answer? As you can
see from the questions, I'm fairly new to this subject.

 

[Chris Jackson]

The ASPNET account is the user account that is set up for ASP.NET to run
under. It runs under its own account so that this account can be
specifically granted a limited set of privileges - just enough to run
ASP.NET applications, and no more. If you are not doing ASP.NET web
development, then this account isn't doing anything useful for you, nor is
it harming you.

 

[John]

Chris, Thanks for your speedy and helpful reply. My
concern as a 'Info Security' guy is that someone could make
use of a 'standard' ID for purposes other than I might
intend - OR might use such an ID as an opening point in a
scripted exploit that I might be able to avoid if I
actually knew what the heck I was looking at re this ID.
From your response, it looks as though I'm not going to
have any problems if I disable the account, so I think
that's my best tactic for the moment. I would still like
to know a little more about this...any recommended info
sites or reading? Again, thanks for your input. John

 

[Chris Jackson]

What more are you interested in knowing? It's a standard Windows user
account, with limited privileges that will let it run ASP.NET sites and not
much else. While it does have some rights (because ASP.NET requires some)
it's definitely not admin, and it doesn't have a blank password. It's a
system generated password as well. I don't consider it a security hole, but
anything you aren't using can clearly be disabled. I don't believe it even
installs if IIS is not present (although I can't verify this, because I
don't have any boxes without IIS on them), and IIS is much more of a threat
surface than a user account with limited privileges and a strong password
is.

 

[Holly Mazerolle]

Take a look at the following article for more info:

317012 INFO: Process and Request Identity in ASP.NET
http://kb/article.asp?id=Q317012

This posting is provided "AS IS" with no warranties, and confers no rights.

 

[Chris Jackson]

Or, if you don't happen to be on the Microsoft LAN, you might try this link:

http://support.microsoft.com/default.aspx?scid=kb;[LN];317012

;-)

 

[Holly Mazerolle]

Sorry about that here is the correct link.

317012 INFO: Process and Request Identity in ASP.NET
http://support.microsoft.com/?id=317012