Re: local admin security question
From: Joe Kaplan \(MVP - ADSI\) (joseph.e.kaplan_at_removethis.accenture.com)
Date: Tue, 5 Apr 2005 19:53:02 -0500
If you are deploying to 2003, why not try using the NETWORK SERVICE account?
It is essentially a local user in terms of permissions, but uses the
computer's account for network credentials. If you don't need network
credentials, you can use LOCAL SERVICE.
If there is an internationalization issue related to the names of these
accounts, it seems like using the SIDs to reference them would be the way to
go. However, I know very little about MSI or internationalization, so I
can't help too much with any details there.
"Jeff Pigott" <email@example.com> wrote in message
> Our app doesn't require it, we are just having problems with Systems that
> do not use English on the initial install during the Windows 2003 Server
> install. They install it as Spansh, and our Windows Service need to use a
> regional setting of English. So we found out we need to use a user account
> vs. a "local admin" account. Are there any whitepapers on locking a user
> account down just to a Windows Service?
> "Joe Kaplan (MVP - ADSI)" <firstname.lastname@example.org> wrote
> in message news:%23$FySuiOFHA.580@TK2MSFTNGP15.phx.gbl...
>> If you are concerned about security, then it is probably best to avoid
>> using an account that has admin privileges at all. Does your app
>> absolutely require that?
>> The question of local account vs. domain account depends on whether the
>> service needs to access domain resources on the network.
>> If you really need admin privileges and only need a local machine
>> account, then creating a different user is probably a good idea because
>> then you can change the regular administrator password easily without
>> breaking your service.
>> Joe K.
>> "Jeff Pigott" <email@example.com> wrote in message
>>> Can anyone suggest whether to use Local Admin service as a Windows
>>> service account for our .NET ADO applicaiton or create a user with Admin
>>> privledges to use for this account?
>>> Is one better than the other?