Service Accounts

Services are background processes. For example, the Server service accepts incoming filesharing connections, and the Workstation service manages outgoing file-sharing connections.

Each service must run in the context of a service account. The permissions of the service account largely define what the service can and cannot do, just like a user account defines what a user can do. In early versions of Windows, security vulnerabilities in services were often exploited to make changes to the computer. To minimize this risk, service accounts should have the most restrictive permissions possible.

Windows Vista provided three types of service accounts: Local Service, Network Service, and Local System. These accounts were simple for administrators to configure, but they were often shared between multiple services and could not be managed at the domain level. Administrators can also create domain user accounts and configure them to act as a service account. This gives administrators complete control over the permissions assigned to the service, but it requires administrators to manually manage passwords and service principal names (SPNs). This management overhead can become very time consuming in an enterprise environment.

Windows 7 introduces two new types of service accounts:

• Managed service accounts provide services with the isolation of a domain account while eliminating the need for administrators to manage the account credentials.

• Virtual service accounts act like managed service accounts, but they operate at the local computer level rather than at the domain level. Virtual service accounts can use a computer’s credentials to access network resources.

Both types of accounts have passwords that reset automatically so that administrators do not need to manually reset the passwords. Either type of account can be used for multiple services on a single computer. However, they cannot be used for services on different computers, including computers in a cluster.


Source of Information : Windows 7 Resource Kit 2009 Microsoft Press

No comments:

Virtual tape

The desire to reduce the dependency on tape for recovery gave rise to the development of virtual tape libraries (VTLs) that use disk drives ...