Just the Facts

You can change the worker process account, but you should at least give the new account full permissions on the folders where the ASP.NET runtime creates temporary files.

Forms authentication is the most common way of protecting ASP.NET pages and resources from unauthorized access in an Internet application. It works by attaching an authentication ticket to the request to prove the identity of the user; an HTTP module intercepts any requests and checks for that.

Membership API complements Forms authentication by decoupling the page code and the code that works with user information. This second type of code is isolated in a provider component that can be plugged into and out of the configuration file.

The role management API provides a rich API to manage roles and an HTTP module that uses a provider to extract role information for the user and that attaches that to the request.

The membership API is integrated with Visual Studio .NET through the WSAT tool, and it gives administrators a tool to manage users and roles offline.

The membership API is linked to a new family of controls for common login-related operations, such as password recovery and change, user creation, and login display.

Secure applications depend on secure coding practices that prevent common attacks. The key rule to apply all the time is, "Don't trust user input." Sanitizing any data the user inserts in the application is key, and validation controls and coded validation rules can raise the security bar much higher for attackers.