Local System x Service Account



Victor Pereira
07-09-2005, 11:50 PM
Hi,
What's better from the security point of view ?

Put every service to run under the Local System (and violate the Least
Privilege) or create a service account and live with a lot of accounts to
manage and protect ?

What should i do to mitigate the risks ? Secure Programming (If i need to
run my service using Local System), Block an iteractive logon (service
account), anything more ?

Thanks in Advance,

Victor Pereira

Roger Abell
07-09-2005, 11:50 PM
If I am selecting between similar products that install services
and I find that one insists on using System, another used Local
Service or Network Service, and a third allow a custom account
that can have tightly controlled group memberships and grants,
then, based on this criteria I favor them least to most in that same
order. The problem really is that often that custom account is not
very closely limited (I love the one where they make it a member
of Administrators - looks good if you do not look!).

Secure programming practices are as important as the security
context in which the service run, especially in the .Net era !!
--
Roger Abell
Microsoft MVP (Windows Security)
MCSE (W2k3,W2k,Nt4) MCDBA
"Victor Pereira" <taintmode@yahoo.com.br> wrote in message
news:%23Z2cQHjVFHA.3024@TK2MSFTNGP14.phx.gbl...
> Hi,
> What's better from the security point of view ?
>
> Put every service to run under the Local System (and violate the Least
> Privilege) or create a service account and live with a lot of accounts to
> manage and protect ?
>
> What should i do to mitigate the risks ? Secure Programming (If i need to
> run my service using Local System), Block an iteractive logon (service
> account), anything more ?
>
> Thanks in Advance,
>
> Victor Pereira
>
>

Victor Pereira
07-09-2005, 11:50 PM
Ok Roger but imagine the following context:
You must create a development rule and you must specify what kind of user
is better from the security point of view. Tell me that i'm not crazy,
because i think that right answer is "it's depends".. am i crazy or this
question aren't boolean

"Roger Abell" <mvpNOSpam@asu.edu> wrote in message
news:uMzeorjVFHA.2172@tk2msftngp13.phx.gbl...
> If I am selecting between similar products that install services
> and I find that one insists on using System, another used Local
> Service or Network Service, and a third allow a custom account
> that can have tightly controlled group memberships and grants,
> then, based on this criteria I favor them least to most in that same
> order. The problem really is that often that custom account is not
> very closely limited (I love the one where they make it a member
> of Administrators - looks good if you do not look!).
>
> Secure programming practices are as important as the security
> context in which the service run, especially in the .Net era !!
> --
> Roger Abell
> Microsoft MVP (Windows Security)
> MCSE (W2k3,W2k,Nt4) MCDBA
> "Victor Pereira" <taintmode@yahoo.com.br> wrote in message
> news:%23Z2cQHjVFHA.3024@TK2MSFTNGP14.phx.gbl...
> > Hi,
> > What's better from the security point of view ?
> >
> > Put every service to run under the Local System (and violate the Least
> > Privilege) or create a service account and live with a lot of accounts
to
> > manage and protect ?
> >
> > What should i do to mitigate the risks ? Secure Programming (If i need
to
> > run my service using Local System), Block an iteractive logon (service
> > account), anything more ?
> >
> > Thanks in Advance,
> >
> > Victor Pereira
> >
> >
>
>

Roger Abell
07-09-2005, 11:50 PM
I personally believe that, in today's Windows world,
"it depends" is a very fair answer.
Local Service is probably the preferred context, as it
pre-exists so removing need to get admins to understand
issues in setting a usable custom account.
However, this does not exist in pre-W2k3/XP systems,
so, is one in a dev cycle for W2k?

--
Roger
"Victor Pereira" <taintmode@yahoo.com.br> wrote in message
news:u9vxOBkVFHA.3188@TK2MSFTNGP09.phx.gbl...
> Ok Roger but imagine the following context:
> You must create a development rule and you must specify what kind of user
> is better from the security point of view. Tell me that i'm not crazy,
> because i think that right answer is "it's depends".. am i crazy or this
> question aren't boolean
>
> "Roger Abell" <mvpNOSpam@asu.edu> wrote in message
> news:uMzeorjVFHA.2172@tk2msftngp13.phx.gbl...
> > If I am selecting between similar products that install services
> > and I find that one insists on using System, another used Local
> > Service or Network Service, and a third allow a custom account
> > that can have tightly controlled group memberships and grants,
> > then, based on this criteria I favor them least to most in that same
> > order. The problem really is that often that custom account is not
> > very closely limited (I love the one where they make it a member
> > of Administrators - looks good if you do not look!).
> >
> > Secure programming practices are as important as the security
> > context in which the service run, especially in the .Net era !!
> > --
> > Roger Abell
> > Microsoft MVP (Windows Security)
> > MCSE (W2k3,W2k,Nt4) MCDBA
> > "Victor Pereira" <taintmode@yahoo.com.br> wrote in message
> > news:%23Z2cQHjVFHA.3024@TK2MSFTNGP14.phx.gbl...
> > > Hi,
> > > What's better from the security point of view ?
> > >
> > > Put every service to run under the Local System (and violate the Least
> > > Privilege) or create a service account and live with a lot of accounts
> to
> > > manage and protect ?
> > >
> > > What should i do to mitigate the risks ? Secure Programming (If i need
> to
> > > run my service using Local System), Block an iteractive logon (service
> > > account), anything more ?
> > >
> > > Thanks in Advance,
> > >
> > > Victor Pereira
> > >
> > >
> >
> >
>
>

Joe Richards [MVP]
07-09-2005, 11:50 PM
I would say my order of preference would be

LocalService
Local Unprivileged User
Domain Unprivileged User
NetworkService
LocalSystem

I also prefer an ID per service per machine if using normal IDs because
otherwise people end up setting non-expiring passwords because it is too hard to
change the password on accounts running multiple services.

I really hate it when an application forces me to pick something in particular.
I would much rather have the choice of what I, at that moment want to do.
Security holes that aren't published at the moment could change the list above
at a moment's notice.

--
Joe Richards Microsoft MVP Windows Server Directory Services
www.joeware.net


Victor Pereira wrote:
> Hi,
> What's better from the security point of view ?
>
> Put every service to run under the Local System (and violate the Least
> Privilege) or create a service account and live with a lot of accounts to
> manage and protect ?
>
> What should i do to mitigate the risks ? Secure Programming (If i need to
> run my service using Local System), Block an iteractive logon (service
> account), anything more ?
>
> Thanks in Advance,
>
> Victor Pereira
>
>

Victor Pereira
07-09-2005, 11:50 PM
Roger, the answer is "Yes W2k is one in a dev cycle"

VP
"Roger Abell" <mvpNOSpam@asu.edu> wrote in message
news:uVzVBgmVFHA.3076@TK2MSFTNGP10.phx.gbl...
> I personally believe that, in today's Windows world,
> "it depends" is a very fair answer.
> Local Service is probably the preferred context, as it
> pre-exists so removing need to get admins to understand
> issues in setting a usable custom account.
> However, this does not exist in pre-W2k3/XP systems,
> so, is one in a dev cycle for W2k?
>
> --
> Roger
> "Victor Pereira" <taintmode@yahoo.com.br> wrote in message
> news:u9vxOBkVFHA.3188@TK2MSFTNGP09.phx.gbl...
> > Ok Roger but imagine the following context:
> > You must create a development rule and you must specify what kind of
user
> > is better from the security point of view. Tell me that i'm not crazy,
> > because i think that right answer is "it's depends".. am i crazy or this
> > question aren't boolean
> >
> > "Roger Abell" <mvpNOSpam@asu.edu> wrote in message
> > news:uMzeorjVFHA.2172@tk2msftngp13.phx.gbl...
> > > If I am selecting between similar products that install services
> > > and I find that one insists on using System, another used Local
> > > Service or Network Service, and a third allow a custom account
> > > that can have tightly controlled group memberships and grants,
> > > then, based on this criteria I favor them least to most in that same
> > > order. The problem really is that often that custom account is not
> > > very closely limited (I love the one where they make it a member
> > > of Administrators - looks good if you do not look!).
> > >
> > > Secure programming practices are as important as the security
> > > context in which the service run, especially in the .Net era !!
> > > --
> > > Roger Abell
> > > Microsoft MVP (Windows Security)
> > > MCSE (W2k3,W2k,Nt4) MCDBA
> > > "Victor Pereira" <taintmode@yahoo.com.br> wrote in message
> > > news:%23Z2cQHjVFHA.3024@TK2MSFTNGP14.phx.gbl...
> > > > Hi,
> > > > What's better from the security point of view ?
> > > >
> > > > Put every service to run under the Local System (and violate the
Least
> > > > Privilege) or create a service account and live with a lot of
accounts
> > to
> > > > manage and protect ?
> > > >
> > > > What should i do to mitigate the risks ? Secure Programming (If i
need
> > to
> > > > run my service using Local System), Block an iteractive logon
(service
> > > > account), anything more ?
> > > >
> > > > Thanks in Advance,
> > > >
> > > > Victor Pereira
> > > >
> > > >
> > >
> > >
> >
> >
>
>

Roger Abell
07-09-2005, 11:51 PM
Then I would say a custom account is the best, as it is
in general for all OS versions.
The problem here is not so much config of the account,
but admin education so that they know what is an account
correctly configured for use by the service.

The problem with use of System should be obvious:
it shares context with so very much else that it is more
easily possible for things to hook into your code, and
it is also such a wide-spread risk if something should
find a flaw in your services. Of course, there are also
issues from poor code, but we assume we do not need
to list those.

In theory, if the custom account is a local Users member
then it is only a matter of making sure that the account
has the user right to log in as a service, that it has rights
to the registered service, and if there are pre-req services
listed as dependencies perhaps rights to those, that it has
grants to its registry key areas and its code plus any
storage used. Being a Users member should cover what
would be "appropriate" uses of other components, of reg
and filesystem areas (at least appropriate in post-W2k).

--
Roger
"Victor Pereira" <taintmode@yahoo.com.br> wrote in message
news:OLsjiSnVFHA.3184@TK2MSFTNGP15.phx.gbl...
> Roger, the answer is "Yes W2k is one in a dev cycle"
>
> VP
> "Roger Abell" <mvpNOSpam@asu.edu> wrote in message
> news:uVzVBgmVFHA.3076@TK2MSFTNGP10.phx.gbl...
> > I personally believe that, in today's Windows world,
> > "it depends" is a very fair answer.
> > Local Service is probably the preferred context, as it
> > pre-exists so removing need to get admins to understand
> > issues in setting a usable custom account.
> > However, this does not exist in pre-W2k3/XP systems,
> > so, is one in a dev cycle for W2k?
> >
> > --
> > Roger
> > "Victor Pereira" <taintmode@yahoo.com.br> wrote in message
> > news:u9vxOBkVFHA.3188@TK2MSFTNGP09.phx.gbl...
> > > Ok Roger but imagine the following context:
> > > You must create a development rule and you must specify what kind of
> user
> > > is better from the security point of view. Tell me that i'm not crazy,
> > > because i think that right answer is "it's depends".. am i crazy or
this
> > > question aren't boolean
> > >
> > > "Roger Abell" <mvpNOSpam@asu.edu> wrote in message
> > > news:uMzeorjVFHA.2172@tk2msftngp13.phx.gbl...
> > > > If I am selecting between similar products that install services
> > > > and I find that one insists on using System, another used Local
> > > > Service or Network Service, and a third allow a custom account
> > > > that can have tightly controlled group memberships and grants,
> > > > then, based on this criteria I favor them least to most in that same
> > > > order. The problem really is that often that custom account is not
> > > > very closely limited (I love the one where they make it a member
> > > > of Administrators - looks good if you do not look!).
> > > >
> > > > Secure programming practices are as important as the security
> > > > context in which the service run, especially in the .Net era !!
> > > > --
> > > > Roger Abell
> > > > Microsoft MVP (Windows Security)
> > > > MCSE (W2k3,W2k,Nt4) MCDBA
> > > > "Victor Pereira" <taintmode@yahoo.com.br> wrote in message
> > > > news:%23Z2cQHjVFHA.3024@TK2MSFTNGP14.phx.gbl...
> > > > > Hi,
> > > > > What's better from the security point of view ?
> > > > >
> > > > > Put every service to run under the Local System (and violate the
> Least
> > > > > Privilege) or create a service account and live with a lot of
> accounts
> > > to
> > > > > manage and protect ?
> > > > >
> > > > > What should i do to mitigate the risks ? Secure Programming (If i
> need
> > > to
> > > > > run my service using Local System), Block an iteractive logon
> (service
> > > > > account), anything more ?
> > > > >
> > > > > Thanks in Advance,
> > > > >
> > > > > Victor Pereira
> > > > >
> > > > >
> > > >
> > > >
> > >
> > >
> >
> >
>
>

Victor Pereira
07-09-2005, 11:51 PM
Roger Abell and Joe Richards,

Thanks for your answer, that's great!

Best Regards,

VP

"Roger Abell" <mvpNOSpam@asu.edu> wrote in message
news:OuBytKrVFHA.1376@TK2MSFTNGP10.phx.gbl...
> Then I would say a custom account is the best, as it is
> in general for all OS versions.
> The problem here is not so much config of the account,
> but admin education so that they know what is an account
> correctly configured for use by the service.
>
> The problem with use of System should be obvious:
> it shares context with so very much else that it is more
> easily possible for things to hook into your code, and
> it is also such a wide-spread risk if something should
> find a flaw in your services. Of course, there are also
> issues from poor code, but we assume we do not need
> to list those.
>
> In theory, if the custom account is a local Users member
> then it is only a matter of making sure that the account
> has the user right to log in as a service, that it has rights
> to the registered service, and if there are pre-req services
> listed as dependencies perhaps rights to those, that it has
> grants to its registry key areas and its code plus any
> storage used. Being a Users member should cover what
> would be "appropriate" uses of other components, of reg
> and filesystem areas (at least appropriate in post-W2k).
>
> --
> Roger
> "Victor Pereira" <taintmode@yahoo.com.br> wrote in message
> news:OLsjiSnVFHA.3184@TK2MSFTNGP15.phx.gbl...
> > Roger, the answer is "Yes W2k is one in a dev cycle"
> >
> > VP
> > "Roger Abell" <mvpNOSpam@asu.edu> wrote in message
> > news:uVzVBgmVFHA.3076@TK2MSFTNGP10.phx.gbl...
> > > I personally believe that, in today's Windows world,
> > > "it depends" is a very fair answer.
> > > Local Service is probably the preferred context, as it
> > > pre-exists so removing need to get admins to understand
> > > issues in setting a usable custom account.
> > > However, this does not exist in pre-W2k3/XP systems,
> > > so, is one in a dev cycle for W2k?
> > >
> > > --
> > > Roger
> > > "Victor Pereira" <taintmode@yahoo.com.br> wrote in message
> > > news:u9vxOBkVFHA.3188@TK2MSFTNGP09.phx.gbl...
> > > > Ok Roger but imagine the following context:
> > > > You must create a development rule and you must specify what kind of
> > user
> > > > is better from the security point of view. Tell me that i'm not
crazy,
> > > > because i think that right answer is "it's depends".. am i crazy or
> this
> > > > question aren't boolean
> > > >
> > > > "Roger Abell" <mvpNOSpam@asu.edu> wrote in message
> > > > news:uMzeorjVFHA.2172@tk2msftngp13.phx.gbl...
> > > > > If I am selecting between similar products that install services
> > > > > and I find that one insists on using System, another used Local
> > > > > Service or Network Service, and a third allow a custom account
> > > > > that can have tightly controlled group memberships and grants,
> > > > > then, based on this criteria I favor them least to most in that
same
> > > > > order. The problem really is that often that custom account is
not
> > > > > very closely limited (I love the one where they make it a member
> > > > > of Administrators - looks good if you do not look!).
> > > > >
> > > > > Secure programming practices are as important as the security
> > > > > context in which the service run, especially in the .Net era !!
> > > > > --
> > > > > Roger Abell
> > > > > Microsoft MVP (Windows Security)
> > > > > MCSE (W2k3,W2k,Nt4) MCDBA
> > > > > "Victor Pereira" <taintmode@yahoo.com.br> wrote in message
> > > > > news:%23Z2cQHjVFHA.3024@TK2MSFTNGP14.phx.gbl...
> > > > > > Hi,
> > > > > > What's better from the security point of view ?
> > > > > >
> > > > > > Put every service to run under the Local System (and violate the
> > Least
> > > > > > Privilege) or create a service account and live with a lot of
> > accounts
> > > > to
> > > > > > manage and protect ?
> > > > > >
> > > > > > What should i do to mitigate the risks ? Secure Programming (If
i
> > need
> > > > to
> > > > > > run my service using Local System), Block an iteractive logon
> > (service
> > > > > > account), anything more ?
> > > > > >
> > > > > > Thanks in Advance,
> > > > > >
> > > > > > Victor Pereira
> > > > > >
> > > > > >
> > > > >
> > > > >
> > > >
> > > >
> > >
> > >
> >
> >
>
>


Local System x Service Account