Thursday, 16 October 2014

Service Accounts - Notes

Any Windows Service can be run under a number of accounts, from system accounts, local accounts and domain or individual user account. All these accounts will have different priviledges to the local computer, and to network resources such as shares, mapped drives and printers etc.  A list of the main is below;

 Basically if running the service as domian admin works, and there are problems with any other user then there is a permsisions issue which needs to be resolved to let the service access the required resources. You may need to consider "manage printer" permisisons, Bypass traverse checking, etc., and whether the remote computer will allow access, or will only allow so many at any one time. Also it is always preferrable to use UNC paths to network shares, rather than mapped drives. The windows mapped drive protocol introduced another permissions check and frequently becomes disconnected, and it may not be possible for a Windows Service to reconnect at will.

It is also posisble that the network will not allow concurrent logons so if you were running your windows service as an individual user account, then using that account simultaneously on the network elsewhere may cause problems

The main Service running accounts.
  • LocalService account (preferred)
    • Name: NT AUTHORITY\LocalService
    • the account has no password (any password information you provide is ignored)
    • HKCU represents the LocalService user account
    • has minimum privileges on the local computer
    • presents anonymous credentials on the network
    A limited service account that is very similar to Network Service and meant to run standard least-privileged services. However unlike Network Service it has no ability to access the network as the machine.
  • NetworkService account
    • NT AUTHORITY\NetworkService
    • the account has no password (any password information you provide is ignored)
    • HKCU represents the NetworkService user account
    • has minimum privileges on the local computer
    • presents the computer's credentials to remote servers (e.g. VADER$)
    • If trying to schedule a task using it, enter NETWORK SERVICE into the Select User or Group dialog
    Limited service account that is meant to run standard least-privileged services. This account is far more limited than Local System (or even Administrator) but still has the right to access the network as the machine (see caveat above).
  • LocalSystem account
    • Name: .\LocalSystem (can also use LocalSystem or ComputerName\LocalSystem)
    • the account has no password (any password information you provide is ignored)
    • HKCU represents the default user (LocalSystem has no profile of its own)
    • has extensive privileges on the local computer
    • presents the computer's credentials to remote servers
    Completely trusted account, moreso than the administrator account. There is nothing on a single box that this account can not do and it has the right to access the network as the machine (this requires Active Directory and granting the machine account permissions to something

    The above is from HERE