Re: Local System Account & Network Access

Thanks Steve, I enabled detailed logging on the server and redid the
excercise, these are the the only two entries from the event log:

User Logoff:
User Name: PCNAME$
Domain: MYDOMAIN
Logon ID: (0x0,0xBA816)
Logon Type: 3

and


Successful Network Logon:
User Name: PCNAME$
Domain: MYDOMAIN
Logon ID: (0x0,0xBA816)
Logon Type: 3
Logon Process: Kerberos
Authentication Package: Kerberos
Workstation Name:

Looks like it's connecting with some kind of 'system' computer account?

Just some background - I'm developing the service and the GUI that sends the
commands to it. This seems to be more of a security issue than a development
issue which is why I posted it here.
It's a real worry when programs work better than they are not supposed to :-)


"Steven L Umbach" wrote:

Offhand I don't know exactly what is going on but what I would do is to
check the security log on the server that has the administrator share to see
the type 3 logon event generated when access is allowed to the share and the
user name. The events in the log are time stamped so it should be easy to
find. The info in the link below may also be helpful if you have not seen it
yet on planning security for service accounts. --- Steve

http://www.microsoft.com/technet/security/topics/serversecurity/serviceaccount/sspgch03.mspx
-- The Services and Service Accounts Security Planning Guide


"Alwin" <Alwin@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:578755CB-FC31-4512-91D7-B8379710C22E@xxxxxxxxxxxxxxxx
Hi,

I have a custom developed windows service running on XP - very simple , it
accepts commands via TCP/IP and executes them on the pc on which it is
installed.

The service gets installed with 'Local System' account credentials which
by
all accounts does not have access to network resources. I am however able
to
send commands to the service instructing it to install software packages
which reside on a network share (shared read-only for domain users) and it
works just fine.

I am concerned because all the documentation I have read indicates that
this
should not be possible, are there any special circumstances where the
System
account can access UNC share paths?



.

Relevant Pages

  • Re: write with cURL
    ... you can stop making excuses. ... Part of Jerrys' security is not letting you on his server... ... up an account for you, process the billing, etc. ...
    (alt.php)
  • Re: write with cURL
    ... you can stop making excuses. ... up an account for you, process the billing, etc. ... possible features from a web site to make up for the security issues. ... Nothing you have told me shows me you know how to lock down a server ...
    (alt.php)
  • Re: write with cURL
    ... It takes time to set up an account for you, process the billing, etc. ... Sorry, my servers are secure. ... Nothing you have told me shows me you know how to lock down a server so that it is secure - other than to use the server's file security. ...
    (alt.php)
  • Re: having problems creating packages - access denied..
    ... I've given a global group (which contains all of the site server computer ... full share permission and also full local security permission. ... SMS uses the site server computer account to connect to ...
    (microsoft.public.sms.admin)
  • RE: Thunderbird Getting Started
    ... bounces@xxxxxxxxxxxxxxxx] On Behalf Of steve ... |> left there is a "remove account" button. ... | additional TB account for my MSN email address. ... | that TB cannot contact the MSN server. ...
    (Ubuntu)