What is "NT AUTHORITY" and "NT SERVICE"

I can find many info on what is "NT AUTHORITY" slash "something". Same for "NT SERVICE". But not for the part before the slash. I run into them from time to time in my work. I might receive documentation with, e.g. Domain Admins, which sometimes includes users from these 2 "places" (NT AUTHORITY\SYSTEM or NT SERVICE\MSSQLSERVER). So I understand they are some kind of standard users.

So I'd actually like to understand what is that core thing before the slash. Is it somehow connected to Windows NT, because it doesn't seem so? What the heck with those "NT" letters? Is the Authority and the Service of the same level stuff?


Solution 1:

If you're willing to play a little fast and loose with the definitions, NT_AUTHORITY essentially refers to the Windows operating system itself. Or perhaps as "things the OS authorizes on your behalf."

(At first, NT meant New Technology, a version of the OS generally meant for businesses. It contrasted with the less strict, less secure Windows 9.x kernels used in Windows 98, 98, and earlier versions. Starting with Windows 2000, the various versions were combined on a version based on Windows NT 4. Those eventually grew into Windows Vista, 7, 8.x, and the soon to be released 10.

The "NT" token is basically a legacy token left from earlier times. You can think of it as a surrogate for Windows itself. More officially, it's the parent for a set of service users that handle background tasks and maintenance operations.

The tokens on the right side of the slash refer to individual internal service "users" of the OS.For example, NT AUTHORITY\SYSTEM handles system services, NT AUTHORITY\LOCAL SERVICE does local services, NT AUTHORITY\NETWORK SERVICE is network services, and so on. More background can be found in this thread and on various locations of MSDN. A creative use of your preferred search engine can help you find even more.

Essentially the same thing run on behalf of a service, which is (essentially) a utility that runs in the background. (The BITS service, for example, downloads updates in the background.) There are an awful lot of services that run and the token NT_SERVICE is used as a way to distinguish them from other things. Here an article that goes into a bit more technical detail. (I wouldn't turn off any services unless you know precisely what it's for, though. That's a good way to goof things up.)

Solution 2:

A more technical explanation:

In Windows ACLs (access-control lists), permissions are applied to trustees - users, groups, or other security principals.

The trustees are uniquely identified by SIDs, which are strings starting with S-1- and can be formatted as human-readable strings such as NT AUTHORITY\SYSTEM for S-1-5-18.

Whoever came up with this design for Windows NT was aiming to make it rather general-purpose:

There are universal well-known SIDs, which are meaningful on all secure systems using this security model, including operating systems other than Windows. In addition, there are well-known SIDs that are meaningful only on Windows systems.

They came up with a few universal authorities, like SECURITY_WORLD_SID_AUTHORITY (S-1-1) which produces only one SID S-1-1-0 meaning "Everyone"; but the majority of the SIDs in use start with S-1-5 - the prefix for the "NT authority", used to produce SIDs in the NT-based operating systems (i.e. all of the modern Windows versions).

You might assume at this point that the SIDs starting with S-1-5-... are displayed as NT AUTHORITY\, but it ain't so - many of the subbranches have their own prefixes in the human-readable form, for example:

  • S-1-5-21-domainID- is for custom Active Directory domains (MYDOMAIN\...)
  • S-1-5-32 is BUILTIN\ (e.g. BUILTIN\Administrators for -544)
  • S-1-5-80-serviceHash is for NT SERVICE\(service name)

Well-known SIDs which are not grouped together under some other name are sometimes displayed with the NT AUTHORITY\ prefix, e.g.:

  • NT AUTHORITY\LocalService (S-1-5-19; also displayed as simply "LOCAL SERVICE") "is a predefined local account used by the service control manager.. has minimum privileges on the local computer and presents anonymous credentials on the network"
  • NT AUTHORITY\NetworkService (S-1-5-20; also displayed as simply "NETWORK SERVICE") "is a predefined local account used by the service control manager.. has minimum privileges on the local computer and acts as the computer on the network."
  • NT AUTHORITY\SYSTEM (also simply "SYSTEM", closely related to the LocalSystem account) - see Is “NT AUTHORITY\SYSTEM” a user or a group?, System Account in Windows, and Side-effects of removing NTFS Permissions from SYSTEM

So "NT AUTHORITY" name is an artifact of the extreme generality of the security subsystem used in Windows, which doesn't have a useful meaning other than "we didn't come up with a more specific group".

NT SERVICE\ (S-1-5-80-...) is the prefix used for "virtual accounts". When specifying the account to run a service named MyService as, you can enter "NT SERVICE\MyService" with no password, and it will run in a separate security context, for which you can set up permissions elsewhere.