\[Editor's Note: Do you have a security-related question about Windows NT? Send it to [email protected] and you might see the answer in this column!\]
I recently read an article about the dangers of Windows NT service accounts, which usually have high system privileges. Apparently, malicious users can misuse the service accounts and compromise the security of critical applications or servers. According to the article, too many people use the Local Security Authority (LSA) account to run services, which creates a huge security risk because the LSA account is the most trusted account on an NT system, with unlimited privileges in the OS's Trusted Computing Base (TCB). Also, when administrators change the service account's password in NT's User Manager for Domains, many forget to change the password in the service properties, which can cause applications to suddenly stop functioning. What can you recommend to make service accounts more secure and to protect against failures and exploits such as those I described?
First, let's consider an NT service's different logon options. You can set logon options from the Service dialog box, which you access from the Control Panel Services icon. As Figure 1 shows, the Log On As options are
- System Account—When you select this option, your service runs in the security context of the LSA account, which has unlimited power on the local machine.
- This Account—When you select this option, your service can use any other account available in the domain or on the local machine to log on. The service runs in the security context of the account you specified.
Your question indicates your correct reluctance to use the LSA account to set up services to run. The LSA account has all Administrator account privileges, which gives those who use the account the power to access any local resource independent of their access control settings. The LSA account also has the Act as part of the operating system user right—the highest privilege an account can have on the level of the OS's TCB. This privilege basically lets an account change and control the local security policy settings.
I strongly recommend that you use the second logon option. You'll have much more control over the privileges and access rights the service has. In choosing the second option, you honor the principle of least privilege: Grant services only those privileges necessary to perform their function, nothing less or more.
To get a better view and more control of the service logon accounts' status and their passwords, check out Configuresoft's Enterprise Configuration Manager (ECM) 3.6. ECM lets you query the service configuration on different machines and change local account passwords—all from a central console. You can find more information about ECM at http://www.configuresoft.com.