Security Implications running defaultapppool in IIS 6.0 as Local System

[2canSAM]

I am working with a couple of web developers and we have just upgraded them from Windows server 2000 running IIS 5.0 to Windows Server 2003 running IIS 6.0. During their testing we encountered an error that was resolved by changing the defaultapppool to use the Local System account and not the Network Service account. Now I know this goes against everything Microsoft and most security sites I have seen suggest but I am having trouble convincing them that the server should not be set up like that. I have explained how running the defaultapppool under the localsystem will give that app pool full access to the the system but cannot actually show them "how" this can be a problem. Is there some tool that I could run against the webserver that would show what could possibly exploit this?

 

[2canSAM]

Any way to get this moved to Networking forum? Seeing as most network admins might deal with this it may get a response. Thanks

 

[2canSAM]

ttt

 

[Deleted member 4644]

I am not an expert on ISS. But running a remotely accessed server on an admin account is a violation of the first principal of modern system security.

I am sure if you google, you can easily find discussions of the sanctity of the "admin" level account.