Should windows services be created with custom users, or should I use one of LocalSystem/LocalServic
Posted
by Justin Dearing
on Server Fault
See other posts from Server Fault
or by Justin Dearing
Published on 2010-06-13T19:52:39Z
Indexed on
2010/06/13
20:02 UTC
Read the original article
Hit count: 388
I'm asking the question in general for the average custom developed NT service or unix OSS daemon ported to windows with SCM support. However, at the moment my immediate concern is for mongodb.
From my experience with UNIX I like all my services to run as different unprivileged users. The way this has translated to windows is as follows:
- Create a local (or domain if it has to talk to SQL server) windows user with a long random password (lately an ASCII85 encoded guid generated from a different machine). Set it to next expire and forbid it from changing its password.
- Remove that user from the "Users Group". Grant that user "Login as a Service" permission.
- Give it read permission to the folder where the app resides, and write permission to the logs and data files the applications use.
- Assign the user to the service.
- Troubleshoot until the service starts.
My feeling is that the unprivileged users are less powerful than the 3 special service users. I also feel that by isolating which users run which services, I would limit collateral damage if a way to compromise one service was found.
© Server Fault or respective owner
