Server log on service best practice

security windows

I've seen many best practice articles about running application with a domain service account. I've tried it on my labs by set GPO to allow specific domain user to log on as a service

However, when I installed a new program (e.g. monitoring tools agent) it's still able to running by Local System. And the Application service is still running as Local System after I restarted.

As I know, Local System has very high privileges and everyone said you should avoid to using it unless it need. This is mean when I install I have to change service logon as a service to Service account manually right?

Can I prevent service to running with Local System by setting GPO or registry?

Or I only have to use Service account on some application like SQL services, Web services, and Application services?

I'm apologize if my questions is wasn't clear, Suggestion or any advise is thankful


  1. There are many system services which need to run as LocalSystem; if you actually managed to globally prevent all services from running as such, this would result in a total collapse of your systems.

  2. I'm assuming you want to prevent applications which run as services from running as LocalSystem; there is no way to enforce this.

  3. The user account used by each service is specific to its configuration; this is configured when installing the service, usually by an installer program; this can be changed later by an administrator, but you need to make sure the user account you choose has all the required permissions (folder access, Registry access, system privileges, etc.); also, changing the Windows service logon properties isn't usually enough: you have to actually configure the application to use the new service account (see SQL Server as an example).

  4. Most installer programs which install services will ask for a service account to use; if they don't and just use LocalSystem, chances are they actually need it (or maybe the developer was lazy); you need to check with the developer/vendor if this can be changed and how.

TL;DR: no, there is no way to enforce a global standard of "all services should run using domain accounts"; this has to be managed individually for each application.

Related

Enable File Sharing over Point-to-site Azure VPN
How do I delete a GCP organization?
SSL client certificate authentication returns "21:unable to verify the first certificate"
Install SQL Express 2005 over 2012
Windows share requires authentication only when accessed locally [duplicate]
How to use Azure DNS server to set local CNAME?
How can I hide/delete the "?" help button on the "title bar" of a Qt Dialog?
Select link by text (exact match)
Defining type aliases
SELECT INTO in MySQL
What is the purpose of XSD files?
JQuery - how to select dropdown item based on value