【F】NT AUTHORITY\NETWORKSERVICE Vs. NT AUTHORITY\SYSTEM Vs. NT AUTHORITY\LOCAL SERVICE

First the actual accounts:

  • Local System (System): Completely trusted account, moreso than the administrator account. There isnothing on a single box that thisaccount can not do and it has theright to access the network as themachine (this requires ActiveDirectory and granting the machineaccount permissions to something)
  • Network Service : Limited serviceaccount that is meant to run standard least-privileged services. This accountis far more limited than Local System (or even Administrator)but still has the right to access thenetwork as the machine (see caveatabove).
  • Local Service : A limitedservice account that is very similar to Network Service and meant to run standard least-privileged services. However unlike Network Service it has no ability to access the network as the machine.

Above when talking about accessing the network, this refers solely to SPNEGO (NTLM & Kerberos) and not to any other authentication mechanism.

The general issue with running as a standard out of the box account is that if you modify any of the default permissions you're expanding the set of things everything running as that account can do. So if you grant DBO to a database, not only can your service running as Local Service or Network Service access that database but everything else running as those accounts can too. If every developer does this the computer will have a service account that has permissions to do practically anything (more specifically the superset of all of the different additional privileges granted to that account).

It is always preferable from a security perspective to run as your own service account that has precisely the permissions you need to do what your service does and nothing else. However, the cost of this approach is setting up your service account, and managing the password. It's a balancing act that each application needs to manage.

In your specific case, the issue that you are probably seeing is that the the DCOM or COM+ activation is limited to a given set of accounts. In Windows XP SP2, Windows Server 2003, and above the Activation permission was restricted significantly. You should use the Component Services MMC snapin to examine your specific COM object and see the activation permissions. If you're not accessing anything on the network as the machine account you should seriously consider using Local SERVICE (not Local SYSTEM which is basically the operating system).

 

 

你可能感兴趣的:(service)