Re: Default privileges of NT Authority\Local Service account?

• Previous message: Michel Gallant: "Re: How to verify a SignedData (CMS, RFC3369) object?"
• In reply to: Berry at JSO: "Default privileges of NT Authority\Local Service account?"
• Next in thread: Rhett Gong [MSFT]: "RE: Default privileges of NT Authority\Local Service account?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Mon, 11 Jul 2005 14:43:32 -0700

=?Utf-8?B?QmVycnkgYXQgSlNP?= <6399bwmNOSPAM@community.nospam> wrote in
news:4797C6D1-BC69-40B6-AFF7-40B087ADD19A@microsoft.com:

> What are the default privileges of the NT Authority\Local Service
> account? I have looked at the privilege membership in Local Security
> Settings, and it appears that these are its rights:
> 1. Adjust memory quotas for a process
> 2. Generate security audits
> 3. Replace a process level token
>
> Is that right? It seems like it should have more privs.
>
> Also, does the account have any NTFS permissions on the local drives?
>
> The reason I ask is that I want to create a domain account that has the
> same local rights on the machine.
>
>

Berry,

Your LocalService/NetworkServices seem normal (nothing out of the
ordinary).

The LocalService account is designed to run with few privileges: the idea
being if you don't need these privileges, then you can run as a less
privileged account. It's pretty much the same reason why you should run as
a limited user instead of an administrator.

According to http://msdn.microsoft.com/library/default.asp?
url=/library/en-us/dllproc/base/service_user_accounts.asp ,
those are the only three privileges the account is supposed to have.
According to the same page, the NetworkService/LocalService accounts are
members of the Users group [and therefore, Authenticated Users]. This
means anything that applies to Users (privileges, ACLs, etc.) also applies
to the services.

Note that the LocalService/NetworkService accounts cannot display windows
or dialog boxes (except message boxes).

-- 
------------------------------------------------------------------------
oshah [shexec32]
Control Panel -> System -> Advanced -> Error Reporting -> Choose Programs
-> Do not report errors for these programs:
Acrobat.exe
waol.exe
------------------------------------------------------------------------

• Previous message: Michel Gallant: "Re: How to verify a SignedData (CMS, RFC3369) object?"
• In reply to: Berry at JSO: "Default privileges of NT Authority\Local Service account?"
• Next in thread: Rhett Gong [MSFT]: "RE: Default privileges of NT Authority\Local Service account?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]