Re: Local System Account & Network Access

---

• From: "Steven L Umbach" <n9rou@xxxxxxxxxxxxxxxxxxxxxxxxxx>
• Date: Sun, 2 Jul 2006 12:21:10 -0500

---

Glad we could help. If you review the white paper you should find it quite
helpful and Roger's suggestion to use local service instead of local system
would be something to try. --- Steve


"Alwin" <Alwin@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:881E620E-0E5D-42F3-94FF-FFD461DBABB1@xxxxxxxxxxxxxxxx

OK, all kinda makes sense now. Thank you Steve and Roger for your inputs,
it's my first ever post on this support forum & your responses have been
excellent.

"Steven L Umbach" wrote:

In that white paper I posted the link for you see this about local system
account on a domain computer.

Local System. Keep in mind that services that log on as Local System have
extensive privileges on the local computer and present computer
credentials
on the network (referenced as <domain_name\computer_name>$). The
account's
privileges must be limited to those that are required for the successful
operation of the service only.

So you are seeing expected behavior in an Active Directory domain though
I
though that domain users does not include domain computers. Maybe some
group
nesting in your situation or permissions for another group allowed
access.
Yes you will see a lot of groups listed for both computer and user when
you
run gpresult. The groups that you don't see listed in member of as these
are
called special groups/identities of which the operating system manages
membership but they do have a bearing on what a user/computer has access
to
and can be listed in access control lists. --- Steve



"Alwin" <Alwin@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:388C3BCA-2643-4D58-9AED-BCEF1FAE981B@xxxxxxxxxxxxxxxx

Mmm, quite interesting, I allowed only administrator acces to the share
in
question and access was denied as expected. running gpresult reveals
that
the
computer account is part of a whole bunch of groups (that do not appear
under
'member of' in AD, for the computer??) one of these groups is 'MyPc$'
and
another is Builtin\Users. I have no idea where these memberships come
from.
I'm not too worried about the fact that the computer can access the
share,
the normal network security seems to control that even though the group
membership is questionable.
What I really don't get is why the service is accessing the share with
the
'MyPc$' computer account when it is running as Local System. If a
process
running as Local System uses some other set of credentials when
accessing
the
network then this would mean that the Lcoal System account can in fact
access
the network (as long as it's computer account has the rights) - again,
this
goes against all the info I have been able to find on the Local System
account?
BTW thanks for all your input here

"Steven L Umbach" wrote:

When you see a $ after the username that means it is a computer
account
so
apparently the computer account was able to authenticate and have
access
to
the share. You said that the share has only read for domain users
group
which I believe would not normally contain domain computer accounts. I
would
double check the membership of the domain users group, check the
membership
of the computer account which you can do with the support tool
gpresult,
and
double check the share permissions to make sure it does not include
users,
everyone, authenticate users, or any other group the computer is a
member
of. As a test I would also try changing the share permissions to be a
specific domain user account or change the permissions to deny for
domain
users to see what happens. --- Steve


"Alwin" <Alwin@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:794D0F1E-0713-4317-9820-B4797C0043AD@xxxxxxxxxxxxxxxx

Thanks Steve, I enabled detailed logging on the server and redid the
excercise, these are the the only two entries from the event log:

User Logoff:
User Name: PCNAME$
Domain: MYDOMAIN
Logon ID: (0x0,0xBA816)
Logon Type: 3

and


Successful Network Logon:
User Name: PCNAME$
Domain: MYDOMAIN
Logon ID: (0x0,0xBA816)
Logon Type: 3
Logon Process: Kerberos
Authentication Package: Kerberos
Workstation Name:

Looks like it's connecting with some kind of 'system' computer
account?

Just some background - I'm developing the service and the GUI that
sends
the
commands to it. This seems to be more of a security issue than a
development
issue which is why I posted it here.
It's a real worry when programs work better than they are not
supposed
to
:-)


"Steven L Umbach" wrote:

Offhand I don't know exactly what is going on but what I would do
is
to
check the security log on the server that has the administrator
share
to
see
the type 3 logon event generated when access is allowed to the
share
and
the
user name. The events in the log are time stamped so it should be
easy
to
find. The info in the link below may also be helpful if you have
not
seen
it
yet on planning security for service accounts. --- Steve

http://www.microsoft.com/technet/security/topics/serversecurity/serviceaccount/sspgch03.mspx
-- The Services and Service Accounts Security Planning Guide


"Alwin" <Alwin@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:578755CB-FC31-4512-91D7-B8379710C22E@xxxxxxxxxxxxxxxx

Hi,

I have a custom developed windows service running on XP - very
simple ,
it
accepts commands via TCP/IP and executes them on the pc on which
it
is
installed.

The service gets installed with 'Local System' account
credentials
which
by
all accounts does not have access to network resources. I am
however
able
to
send commands to the service instructing it to install software
packages
which reside on a network share (shared read-only for domain
users)
and
it
works just fine.

I am concerned because all the documentation I have read
indicates
that
this
should not be possible, are there any special circumstances where
the
System
account can access UNC share paths?

.

---

• References:
  • Re: Local System Account & Network Access
    • From: Alwin

• Prev by Date: Re: Permission to Copy Files to Server Folder But Not Edit Them
• Next by Date: deactivate IE intranet security warning
• Previous by thread: Re: Local System Account & Network Access
• Next by thread: Re: Mulitple Antispyware Beta Questions
• Index(es):
  • Date
  • Thread

---

Relevant Pages Re: Local System Account & Network Access ... account on a domain computer. ... Keep in mind that services that log on as Local System have ... membership but they do have a bearing on what a user/computer has access to ... You said that the share has only read for domain users group ... (microsoft.public.security) Re: ATTN : Microsoft - Security Event 529....Second Request for help.... ... Routing Engine, Microsoft Exchange Information Store, Microsoft Exchange ... System Attendant service' logon on account is "Local System Account", ... (microsoft.public.windows.server.sbs) Re: Local System Account & Network Access ... In that white paper I posted the link for you see this about local system ... account on a domain computer. ... membership but they do have a bearing on what a user/computer has access to ... Logon ID: ... (microsoft.public.security) Re: Local System Account ... run following command from command line: ... Local System will also run as Local System. ... one can specify it to run as localsystem account. ... administrator is not same as Local System. ... (microsoft.public.win2000.security) Re: Local System Account ... run following command from command line: ... Local System will also run as Local System. ... one can specify it to run as localsystem account. ... administrator is not same as Local System. ... (microsoft.public.win2000.security)

---

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(17)