Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations Chris Miller on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

NT AUTHORITY/NETWORK SERVICE - vulnerabilities?

Status
Not open for further replies.

bluegnu

Technical User
Sep 12, 2001
131
GB
Hi, a quick question hopefully.

I have been reading the installation document for some software that my company deploys. One of the recommendations is to run services and IIS Application pools with the NT AUTHORITY/NETWORK SERVICE user.

I have always been told that you are better to use specifically created users to perform these tasks, particularly in a domain environment.

I don't have any basis of fact for doing this other than "I think it's safer and less vulnerable"

Is there any real reason for doing this?
 

I don't know that it's more secure to use a custom created domain service account, but there are reasons to use one over the default NT Auth/Netwrok Service account, like better database access for applications, better tracking of your apps via the event log,or if you want to use auditing to track each app. You can use custom accounts to separate different apps that reside on the same server. Sometimes privs/permissions get changed (sometimes by accident) on the NT Auth/Network Serv account. If you use a custom account these changes won't affect your applications.

By default the NT Auth/Network Services account has really low privileges and permissiosn. You have very restricted access using this account.

Someone else can probably explain it much better, but I hope this helps you some.

Kelly Brooks
Pomeroy IT Solutions
T3 IT Support for Acosta Military Div.
 
While Network Service doesn't have local login rights, it does have some elevated permissions that you probably don't want your application to have. I always recommend using a domain account to run applications run.

Denny
MCSA (2003) / MCDBA (SQL 2000)
MCTS (SQL 2005 / SQL 2005 BI / SQL 2008 DBA / SQL 2008 DBD / SQL 2008 BI / MWSS 3.0: Configuration / MOSS 2007: Configuration)
MCITP (SQL 2005 DBA / SQL 2008 DBA / SQL 2005 DBD / SQL 2008 DBD / SQL 2005 BI / SQL 2008 BI)
MCM (SQL 2008)
MVP

My Blog
 
Thanks for the responses. What are the elevated permissions?
 
I'm not sure what the exact rights are. You can look in the "Local Security Policy" and see what rights it has.

Denny
MCSA (2003) / MCDBA (SQL 2000)
MCTS (SQL 2005 / SQL 2005 BI / SQL 2008 DBA / SQL 2008 DBD / SQL 2008 BI / MWSS 3.0: Configuration / MOSS 2007: Configuration)
MCITP (SQL 2005 DBA / SQL 2008 DBA / SQL 2005 DBD / SQL 2008 DBD / SQL 2005 BI / SQL 2008 BI)
MCM (SQL 2008)
MVP

My Blog
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top