Using the same application identity for multiple applications

Question

Is there a best practice for using/re-using accounts as application identities in ASP.NET? I recently got in a heated discussion regarding this practice. Separate identities are additional overhead but seem safer. Am I off base?

Answer 1

There is another way of looking at it:

• Does your application need to implement it's own identities?

In almost all projects the last 10 years we have used an identity that is seperate from the application, sometimes it is as simple as using the users Windows Identity.

With security avoiding writing code is good. Since code that is not written cannot contain a security bug.

Answer 2

I would say it depends on the scenario.

as a general rule you would need to configure a separated Application Pool in IIS for each web application you deploy in the web server, at least in production. Said so, for the Active Directory server having one account for each app pool you created is not an issue.

One old good rule of security of applications is to give always the minimum set of required privileges and nothing more, so if you have App A and App B imagine to also have user A and user B each one with only the rights to use their App (and eventually to access to some databases, some network drives and so on).

If you only have user C and give all the rights to this user, a bug in App A could then connect and potentially interfere with App B because user C has rights on both while if you were running App A with user A, this could not happen.