|
Posted by Roger Abell [MVP] on July 4, 2006, 11:36 pm
Please log in for more thread options Yes, but I would categorize those as one-off grants each needed due to
the uses being made of Network Service (i.e. the logs related to the
services running in that account). In all fairness, MS should have done
right when transiting services to that context (ditto Local Service).
Your question however is I think correctly answered that there is no
extra grant that one needs to make generically, but only ones due to
the uses made of the account. Now, if the log files you mention were
collected such as in system32\Logfiles instead of scattered as most
are and accumulated at system32 root, then you could just adjust on
system32\LogFiles. You are now turning me to an area in which
I have a fair degree of disappointment in the MS implementation.
> Roger, my security audit logfiles are filled with attempts by Network
> Service to take actions deleting or writing to various logfiles nested
> deep
> in system32. So apparently the Network Service user needs more boot
> volume
> access than an ordinary user should have.
>
> --
> Will
>
>> Is saying that, AFAIK these have no requirements that are
>> any different from those given to limited Users unsatisfying?
>> Of course, there may be added areas due to the third-party
>> services, or some MS optional components like IIS, for
>> which these may be used as the service account.
>
>
| 
XML Sitemap