Server log on service best practice
I've seen many best practice articles about running application with a domain service account. I've tried it on my labs by set GPO to allow specific domain user to log on as a service
However, when I installed a new program (e.g. monitoring tools agent) it's still able to running by Local System. And the Application service is still running as Local System after I restarted.
As I know, Local System has very high privileges and everyone said you should avoid to using it unless it need. This is mean when I install I have to change service logon as a service to Service account manually right?
Can I prevent service to running with Local System by setting GPO or registry?
Or I only have to use Service account on some application like SQL services, Web services, and Application services?
I'm apologize if my questions is wasn't clear, Suggestion or any advise is thankful
-
There are many system services which need to run as LocalSystem; if you actually managed to globally prevent all services from running as such, this would result in a total collapse of your systems.
-
I'm assuming you want to prevent applications which run as services from running as LocalSystem; there is no way to enforce this.
-
The user account used by each service is specific to its configuration; this is configured when installing the service, usually by an installer program; this can be changed later by an administrator, but you need to make sure the user account you choose has all the required permissions (folder access, Registry access, system privileges, etc.); also, changing the Windows service logon properties isn't usually enough: you have to actually configure the application to use the new service account (see SQL Server as an example).
-
Most installer programs which install services will ask for a service account to use; if they don't and just use LocalSystem, chances are they actually need it (or maybe the developer was lazy); you need to check with the developer/vendor if this can be changed and how.
TL;DR: no, there is no way to enforce a global standard of "all services should run using domain accounts"; this has to be managed individually for each application.