Re: Network Service security question

"<M>" <m_dinnis@xxxxxxxxxxx> wrote in message
news:025e3672-5064-489f-a0de-b29d18c6ae1a@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Hi,

If I create a web service to run on a Windows 2003 server under the
Network Service account, will it have access to other server services
elsewhere on my domain?

The scenario is that I have created a web service to query a specified
database. Different departments need the same functionality the
service supplies but need to query different databases. the solution
employed was to copy the service to their own local server and put
data access information in the associated config file. That way they
get the data they want to see and I don't have to duplicate code.

The issue that has now been raised is that as the departments are all
on the same domain and all the services are running as Network Service
then they could possibly connect to a different server and access the
resources (other services) there.

I think i've read somewhere that the Network Service account is a
local account, so does this mean that it can only access resources
locally even though it has network permissions?

Any thoughts?

<M>

The answer to your intial question is no, it will not have access,
that is, unless you go to the effort of making it so that it will.
When the Network Service goes "off box", communicates over
the network, it does so by assuming the domain credentials of the
Local System account (that is domain\machinename$).
So, if there are no grants on the remote machines to that domain
account, then it will not have any access other than what those
remote machines grant to anonymous, to everyone, to guest, to
Domain Computers, to Domain Users, or to Authenticated Users.

On your other questions, yes, Network Service is a local account.
However, it is predefined and so has the same SID on all machines.
The key point is that it uses the System account in order to make
use of network connections.
In your scenario things are really not much different from what
would be if you had defined a domain account, granted it access
to the resources your web service uses and granted it the accesses
needed to log in as the launch account of your web service where
it is installed (except that it would be a little easier to move to
integrated authentication for the database access as you would
have one account instead of one for each Network Service).

Roger


.

Relevant Pages

  • Re: Encrypting the response
    ... The account ASP.NET normally runs under in Windows Server 2003 is indeed ... NETWORK SERVICE, but that's a built-in account, so you won't find it. ... > account WSE 2 is using to try to access the private key. ...
    (microsoft.public.dotnet.framework.webservices.enhancements)
  • Certificate Server
    ... of our certificate servers is having trouble with the certsrv website. ... server I get a event id 553 failure audit with request type of krb_ap_req ... The network service account is what we are ...
    (microsoft.public.inetserver.misc)
  • Certificate Server
    ... of our certificate servers is having trouble with the certsrv website. ... server I get a event id 553 failure audit with request type of krb_ap_req ... The network service account is what we are ...
    (microsoft.public.security)
  • Re: Permission Errors
    ... For local account, it can be authenticated on a remote server as long as ... | However I have discovered that I can deploy the web service to the W2K ...
    (microsoft.public.dotnet.general)
  • Re: Deploying .NET 2.0 Web App from WinXP Pro to Server 2003: 404!
    ... You CANNOT *select* the account from the account list...or Windows complains. ... the absence of ASP.NET 2.0 in the Web Service Extensions node suggests ... run the app on my local machine, using the built-in Web server, I have no ...
    (microsoft.public.dotnet.framework.aspnet)