2

In Unix and Linux based system you usually run services in context of service accounts that have no password set and cannot be logged on. As far as I have understood, the processes are spawned from a higher privileged process and switched to the service account using setuid.

Is the same possible on Windows based systems, or do you always have to set a password for service accounts?

invictus
  • 135
  • 1
  • 10
  • 3
    Some more reading material. https://docs.microsoft.com/en-us/windows/security/identity-protection/access-control/service-accounts – Zoredache Feb 27 '19 at 20:20

1 Answers1

4

If you do not want your service to run in an account with a password, you can configure it to run as local system, or as one of the built-in service accounts, NETWORK SERVICE or LOCAL SERVICE. Or, if you want finer-grained security, you can use a virtual account.

See the section "Using virtual accounts" in the Service Accounts Step-by-Step Guide for more information on virtual accounts. The Guide also describes managed accounts, which are domain accounts whose passwords are automatically managed by Windows.

Typically, you would just use NETWORK SERVICE or LOCAL SERVICE unless you need to give the service access to sensitive files or folders, or other securable objects such as registry keys.

Managed accounts are more complex than virtual accounts, but in an Active Directory environment you might want to use them if you need to give the service access to sensitive content on the network, such as a remote share or an SQL Server using integrated authentication.

See also Service Accounts, a more recent article applying to Windows Server 2022, 2019, and 2016.

psiryn
  • 3
  • 3
Harry Johnston
  • 6,005
  • 4
  • 35
  • 52
  • Excellent! One thing that is still a bit unclear to me after reading this documentation is when you would choose Managed Service Account over Virtual Account and the other way around. Is it only related to whether you want network access to be in the context of a specific identity rather than the computer identity? Would a Managed Service Account be preferred over Virtual Account for an application that access SQL Server over kerberos? – invictus Feb 28 '19 at 09:06
  • 1
    Yes, that's right. I've added a paragraph about this to my answer. Accessing an SQL Server (that is in the same domain as you and is using integrated authentication) is a textbook example of why you might want to go to the extra trouble - if the service needs a level of access to the SQL database that shouldn't be exposed to the risk that other services on the same computer might be compromised. (If it only needs guest-level access, then using the computer account might be sufficient.) – Harry Johnston Feb 28 '19 at 18:17