Windows - Use Local Service and/or Network Service account for a windows service

The NT AUTHORITY\NetworkService account is only needed when you're communicating with other computers in a domain that need your machine's credentials for access control. It is not required for simple Internet/network access. It is only necessary for specific purposes in an Active Directory domain.

Also the entire point of the NT AUTHORITY\LocalService account is that it has minimum privileges on the system. Giving it more privileged decreases the security of the many services on your system designed to run at the low privilege level it was designed to proffer. If your service requires privileges above and beyond those, you should create a new account for it with the necessary privileges and set that account in the Log On tab of the service's properties. (This can also be done programatically.)

You could also run it using the NT AUTORITY\LocalSystem account, which has unlimited access to your system, but I assume you wanted to use the LocalService account for the increased security it provides.


The other answers confirm what you say about using Local Service. To summarize, Local Service is the recommended account to use with your service, unless you need the extra Active Directory SSPI features of Network Service.

For restricting read/write access to a specific folder, you can do better than just giving access to the generic Local Service account though. The problem, as others have pointed out, is that this would also give read/write access to all other services running as Local Service and if all services did this then gradually Local Service would receive access to more and more important resources.

The solution is to instead ACL your folder using your specific service SID. Only your own service process has your service SID associated with it, so this locks down your resource even further. You can view the service SID using sc showsid <service name>. The service SID is generated from the service name, so it will be the same on all machines.

To enable service SID usage by your service, use ChangeServiceConfig2 with the SERVICE_SID_INFO structure to set SERVICE_SID_TYPE_UNRESTRICTED. You can also set SERVICE_SID_TYPE_RESTRICTED to get an even more restricted SID that only allows write access to resources explicitly allowed with your service SID.

This link has the high-level descriptions of service SIDs and restricted service SIDs: https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/hh125927(v=ws.10)