Windows - Use Local Service and/or Network Service account for a windows service

windows file-permissions privileges windows-services

The NT AUTHORITY\NetworkService account is only needed when you're communicating with other computers in a domain that need your machine's credentials for access control. It is not required for simple Internet/network access. It is only necessary for specific purposes in an Active Directory domain.

Also the entire point of the NT AUTHORITY\LocalService account is that it has minimum privileges on the system. Giving it more privileged decreases the security of the many services on your system designed to run at the low privilege level it was designed to proffer. If your service requires privileges above and beyond those, you should create a new account for it with the necessary privileges and set that account in the Log On tab of the service's properties. (This can also be done programatically.)

You could also run it using the NT AUTORITY\LocalSystem account, which has unlimited access to your system, but I assume you wanted to use the LocalService account for the increased security it provides.


The other answers confirm what you say about using Local Service. To summarize, Local Service is the recommended account to use with your service, unless you need the extra Active Directory SSPI features of Network Service.

For restricting read/write access to a specific folder, you can do better than just giving access to the generic Local Service account though. The problem, as others have pointed out, is that this would also give read/write access to all other services running as Local Service and if all services did this then gradually Local Service would receive access to more and more important resources.

The solution is to instead ACL your folder using your specific service SID. Only your own service process has your service SID associated with it, so this locks down your resource even further. You can view the service SID using sc showsid <service name>. The service SID is generated from the service name, so it will be the same on all machines.

To enable service SID usage by your service, use ChangeServiceConfig2 with the SERVICE_SID_INFO structure to set SERVICE_SID_TYPE_UNRESTRICTED. You can also set SERVICE_SID_TYPE_RESTRICTED to get an even more restricted SID that only allows write access to resources explicitly allowed with your service SID.

This link has the high-level descriptions of service SIDs and restricted service SIDs: https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/hh125927(v=ws.10)

Related

Clone Ubuntu to a USB 3 flash drive
"Files" File manager is not working on Ubuntu 20.04
What is the difference between git add * and git add .?
Automatically bring up socketcan network interfaces on boot (can0, ...)
What is the definition of a "standard security update"? What other classifications are possible?
Run simple X11 app in docker container on Ubuntu 20.04
Transition- Convert Ubuntu 16.04 to Lubuntu 18.10(without internet)
Telegram 2.1.7 launcher icon not showing up ubuntu 20.04
locale-gen doesn't work
ls command not working in Ubuntu 18.04
Copy and paste not working in ubuntu in VirtualBox 6.1.2
Laptop Screen Black After Suspend