Why does a Windows Service need local Administrative account
Posted: Wed Jan 19, 2005 8:28 am
BB
Regular
Joined: Jun 23, 2004
Posts: 340
This question comes from many company Windows Server system administrators. Why does your Windows NT/2000/2003 Service need to run as a local administrator? It is a real security nightmare, they say.
The answer is that if it is running a DCOM service, it cannot run as the system user, as it needs to be in communication with another DCOM application. All large companies have had to make exceptions in this regard for application services running on Win32 servers.
This (rather lengthy) article from Microsoft explains why you need to do this for some applications
Here is what I saw in the event log for one of our applications:
Quote:
The {our application} service failed to start due to the following error:
The service did not start due to a logon failure.
Logon attempt with current password failed with the following error:
Logon failure: unknown user name or bad password.
When I looked at the Services configuration for the {our application}, it was set to log on as ./administratror.
(Start Menu --> Settings --> Control Panel --> Administrative Tools --> Computer Management )
I compared this with a working server. On that dev system, it was set to "Log on as Local System Account."
I changed the service on other server to log on as Local System account. Then the service started.
Here is an article from Microsoft entitles:
Understanding the Distributed Object Component Model (DCOM) Architecture
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum
All logos and trademarks in this site are property of their respective owner. The comments are property of their posters, all the rest (c) 2006 by Group29 Productions.
You can syndicate Group29 Productions news with an RSS Feeder using the file backend.php