I am trying to implement the ASP.NET Core out-of-process hosting model.
Previously we had a Windows Service running as a LocalService user. This service was protected with an IIS reverse proxy and AppPoolIdentity user.
client <--> Reverse Proxy (AppPoolIdentity) <--> Windows Service (LocalService)
Now that the IIS - ASP.NET Core Module (w3wp.exe) itself starts the ASP.NET Core Application (dotnet.exe) on request, both run as LocalService identities.
client <--> Reverse Proxy (LocalService) <--> Kestrel Service (LocalService)
Is this fine, from a security point of view, to configure both, the reverse proxy as well as the app, as LocalService or is it advisable to configure the IIS or the Kestrel server differently?
I couldn't find any information on this topic online. Any kind of help is very much appreciated.