In earlier versions of Windows, most services would run under the SYSTEM (Local System) account; however, Microsoft developed Local Service and Network Service accounts that have less authority and reconfigured services. Both principals have a minimum authority and handle network resources differently. Local Service principals have the benefit of preventing unauthorized users gaining access to other systems on a network.
For this case, the service should be installed under the Network Service account. This is authenticated to all other computers on the network and uses the computer’s account as the domain. This predefined local account is used by the Service Control Manager and is not recognized by the security subsystem. This account can be configured by the CreateService and ChangeServiceConfig functions. It also does not use a password. A localized name for this account will be received from the LookupAccoundSID function. By running this service in the NetworkService account, the computer’s credentials will be presented to remote servers. The NetworkService account has many privileges, such as SE_ASSIGNPRIMARYTOKEN_NAME (disabled), SE_AUDIT_NAME (disabled), SE_CHANGE_NOTIFY_NAME (enabled), E_CREATE_GLOBAL_NAME (enabled), SE_IMPERSONATE_NAME (enabled), SE_INCREASE_QUOTA_NAME (disabled), SE_SHUTDOWN_NAME (disabled), and SE_UNDOCK_NAME (disabled). These privileges are assigned to both users and authenticated users.
To install a service under NetworkService, first, open the application that you installed and go to the services page. Then, simply select your service. Next, in the service properties page, set the “User Name” to NT AUTHORITY/Network Service. The password field should be left empty. Finally, select the “Log on as a Service” policy for the selected username option. When this is all done, one can verify if they can log on as a service by using the tool, “Local Security Policy. This is accessed by going to the Control Panel, then Administrative Tools, Local Security Policy, Local Policies, User Rights Assignment, and then finally select “Log on as a Device. Some common problems occur if this service is already installed or if the installation is not running with administrator privileges. However, the general process should be relatively simple.
References:
Smith, Randy. (14 Aug 2005). IT Pro Windows. Understanding the Local Service and Network Service Accounts. Retrieved from http://windowsitpro.com/systems-management/understanding-local-service-and-network-service-accounts.
(2017). Microsoft. NetworkService Account Retrieved from https://msdn.microsoft.com/en-us/library/windows/desktop/ms684272(v=vs.85).aspx.
Categories: Networks, Operating Systems/Programming
Securing The Universe 