Re: SERVICE group
From: Marty List (Bill.Gates_at_sun.com)
Date: Thu, 10 Jun 2004 09:29:41 -0600
"Marin Marinov" <email@example.com> wrote in message
> In article <ukTKdNaTEHA.firstname.lastname@example.org>, Bill.Gates@sun.com
> > Does anyone have any info or links to info about the built-in group
> > "SERVICE". I'm talking about the built-in accounts like SYSTEM,
> > INTERACTIVE, etc.
> > I'm just trying to read about this group and find out when this gets
> > assigned to an access token.
> Hi Marty,
> This is a new security principal the purpose of which is to run services
> in its context since it has far less privileges than System. You'll
> notice that some services (e.g., Alerter) that don't require much
> privileges run under "Local Service",i.e. SERVICE.
> Membership in all these "special identities" is maintained by the system
> based on user actions.For example, when you log on locally you become a
> member of INTERACTIVE, while if you access a file share via the network
> you become a member of NETWORK. For more information on what each of
> these groups represents, search Help and Support Center for "Security
> identifiers: access control".
> Marin Marinov
> MCT, MCSE 2003/2000/NT4.0,
> MCSE:Security 2003/2000, MCP+I
> This posting is provided "AS IS" with no warranties, and confers no
> "True knowledge exists in knowing that you know nothing."
Thanks for the reply Marin, but it's not exactly what I'm looking for. When
you say "some services ... run under Local Service, i.e. SERVICE" it sounds
like you are saying the Local Service and SERVICE are the same thing, which
is not true. The 'LOCAL SERVICE' and 'NETWORK SERVICE' are both built-in
accounts new with Windows XP and later. However SERVICE is a built-in
group/well known SID that exists in Windows 2000 and later. You said "the
purpose of which is to run services in its context since it has far less
privileges than System" but you can't run a service in the context of
Now you were getting close when you said "when you log on locally you become
a member of INTERACTIVE, while if you access a file share via the network
you become a member of NETWORK". And what I am looking for is "when you
_____________ you become a member of SERVICE."
The help file was a good suggestion, it says "SERVICE: A group that includes
all security principals that have logged on as a service. Membership is
controlled by the operating system."
This gets me closer, but I'm looking for something more detailed and
technical like a whitepaper, or something referenced in the resource kit. I
need this for security audit documentation. Seen anything like this?