Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations SkipVought on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

NT AUTHORITY/NETWORK SERVICE - vulnerabilities?

Status
Not open for further replies.
bluegnu

bluegnu

Technical User
Sep 12, 2001
131
0
0
GB
Hi, a quick question hopefully.

I have been reading the installation document for some software that my company deploys. One of the recommendations is to run services and IIS Application pools with the NT AUTHORITY/NETWORK SERVICE user.

I have always been told that you are better to use specifically created users to perform these tasks, particularly in a domain environment.

I don't have any basis of fact for doing this other than "I think it's safer and less vulnerable"

Is there any real reason for doing this?
 
Sort by date Sort by votes

I don't know that it's more secure to use a custom created domain service account, but there are reasons to use one over the default NT Auth/Netwrok Service account, like better database access for applications, better tracking of your apps via the event log,or if you want to use auditing to track each app. You can use custom accounts to separate different apps that reside on the same server. Sometimes privs/permissions get changed (sometimes by accident) on the NT Auth/Network Serv account. If you use a custom account these changes won't affect your applications.

By default the NT Auth/Network Services account has really low privileges and permissiosn. You have very restricted access using this account.

Someone else can probably explain it much better, but I hope this helps you some.

Kelly Brooks
Pomeroy IT Solutions
T3 IT Support for Acosta Military Div.
 
Upvote 0 Downvote
While Network Service doesn't have local login rights, it does have some elevated permissions that you probably don't want your application to have. I always recommend using a domain account to run applications run.

Denny
MCSA (2003) / MCDBA (SQL 2000)
MCTS (SQL 2005 / SQL 2005 BI / SQL 2008 DBA / SQL 2008 DBD / SQL 2008 BI / MWSS 3.0: Configuration / MOSS 2007: Configuration)
MCITP (SQL 2005 DBA / SQL 2008 DBA / SQL 2005 DBD / SQL 2008 DBD / SQL 2005 BI / SQL 2008 BI)
MCM (SQL 2008)
MVP

My Blog
 
Upvote 0 Downvote
Thanks for the responses. What are the elevated permissions?
 
Upvote 0 Downvote
I'm not sure what the exact rights are. You can look in the "Local Security Policy" and see what rights it has.

Denny
MCSA (2003) / MCDBA (SQL 2000)
MCTS (SQL 2005 / SQL 2005 BI / SQL 2008 DBA / SQL 2008 DBD / SQL 2008 BI / MWSS 3.0: Configuration / MOSS 2007: Configuration)
MCITP (SQL 2005 DBA / SQL 2008 DBA / SQL 2005 DBD / SQL 2008 DBD / SQL 2005 BI / SQL 2008 BI)
MCM (SQL 2008)
MVP

My Blog
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

DTGMI
  • Locked
  • Question
WIN 10 Pro PC & Adding back to our Network
Replies
0
Views
89
DTGMI
DTGMI
mangentle
  • Locked
  • Question
What could be the potential causes if a Microsoft Windows Server is experiencing slow network!
Replies
1
Views
135
gbaughma
gbaughma
nukeinfer
  • Locked
  • Question
Internet restrictions for isolated PCs in the Network
Replies
1
Views
87
mangentle
mangentle
StevenFromSouth
  • Locked
  • Question
VPN Connects but cannot access remote network computers or folders
Replies
1
Views
73
StevenFromSouth
StevenFromSouth
Dave60608
  • Locked
  • Question
Accessing shared folders via a network
Replies
5
Views
125
strongm
strongm

Part and Inventory Search

Sponsor

Back
Top