>The security risk is relative really.
>
>Prior to ASP.NET in classic ASP days or running typical ISAPI applications we always used to run in SYSTEM context because frequently the access to the local system was required.
>
>SYSTEM is less secure, but only if your machine is already compromised and assuming somebody has either hacked into your app to execute code.
>
>Basically my thought about this is if somebody's already there you have other things to worry about.
>
>Running in SYSTEM is often easier to do than explicitly adding rights to NETWOWRK SERVICE that might be required or more common using a special account that has the exact rights and ACL permissions needed.
>
>OTOH, ASP.NET apps have much less need to require elevated rights because most of the features that frequently required higher rights (say in Web Connection like COM activation and writing out configuration files for example) are handled internally via the .NET framework and covered by the Trust settings...
>
>Overall it's good to review whether switching to SYSTEM is necessary but unless you're not sure whether your app is secure on its own merit it's probably not something to lose sleep over.
Thanks