Any reason not to grant a domain computer account shared folder permission on another server?

We have a few web servers in a DMZ that need to access files on a single file server share in the inside network.  Currently we use a domain account (call it webshare) which is what the web services use when they need to access a file on the inside share.  One of the developers asked if we could add the web server's domain computer account to the share, as it would be easer for the application developers not to have to impersonate a user accouint when they need to access those files.  Note that the webshare account has local admin rights on the web server, but no domain rights other then that one share on one file server.

This is a single windows domain and 2008 servers we're talking about, fyi.

Any reason why using the computer account instead of a domain account would be better/safer or less secure the the current method?  Or basically the same?

Who is Participating?
Kyle AbrahamsConnect With a Mentor Senior .Net DeveloperCommented:
If the server was ever compromised (eg: hacked), the computer could then write files to your file share bypassing security.  It would then just take someone to execute that file and now you have a someone on your internal network.

In general you never want any traffic going across your DMZ to your internal network.  If you need to get files into the network, you should actually write them to your DMZ (behind another firewall) and let the internal users pull them the same way the external users do.

mchad65Author Commented:
Understand your point re: network security, and we have taken appropriate steps.  Certainly one wouldn't put a SQL server in a DMZ, and web servers often need to talk to SQL.  Clearly I am not revealing the full details of our internal network security architecture in a public forum.

Network security aside, back to the original question, is there any more or less inherent risk in using a computer account for share permissions vs. a domain user account?

Kyle AbrahamsSenior .Net DeveloperCommented:
anyone who gets onto the computer could use the fileshare vs only that one account.  

So you're opening up the gate a bit.  

Also from an administration side say you scale out the website to multiple computers.  Using 1 windows account they could all write to the share.  Otherwise you would need to add each computer where the application was running to the share.  

Which breeds another question:  Do you have other applications running on any of the servers that shouldn't have access to the share?

IMO I would tell the developer to suck it up and impersonate with the user account.

mchad65Author Commented:
I am leaning towards keeping it as is, i just wanted another opinion.  The share exist solely for storing pdf's the users of the sites need to download.  Pretty much each site has a need to access. There may be the odd app that doesn't need access, but the majority do.  

I think I agree with your last.  Thanks.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.