Click here to get back home

Local Administrator as service log on account
 HomeNewsGroups | Search | About
Login Password
Register Now!
 microsoft.public.windows.server.security    Post an article   get this group's latest topics as an RSS feed add this group's latest topics to your My MSN content add this group's latest topics to your My Yahoo content
Subject Author Date
Local Administrator as service log on account Pascal 01-11-2006
Posted by Pascal on January 11, 2006, 3:51 am
Please log in for more thread options
 Can anybody help me with the following problem:

I have a Web-Server in a DMZ. It runs a web Service for a 3rd party web
application. For this application to function properly, it is required
to run this server with an account that is in the local administrators
group on this server instead of the local system account.

Can someone tell me something about the security risks that we take whe
the service is started with a local admin account?

Thanks in advance and best Regards

Pascal


Posted by Miha Pihler [MVP] on January 11, 2006, 4:01 am
Please log in for more thread options
 Hi,

The risk with this is if someone can find a bug in the application (I don't
mean in operating system or IIS service, etc - I mean in your custom
application) he/she would have complete control over your server and could
do just about anything on the server (e.g. create new user with
administrative permissions on the server, open additional back door to the
server, shutdown the server, download additional tools from the internet (if
server has access to the internet) etc...
This bug could be just about anything (e.g. frequent bugs are when
application allows SQL injections).

--
Mike
Microsoft MVP - Windows Security

> Can anybody help me with the following problem:
>
> I have a Web-Server in a DMZ. It runs a web Service for a 3rd party web
> application. For this application to function properly, it is required
> to run this server with an account that is in the local administrators
> group on this server instead of the local system account.
>
> Can someone tell me something about the security risks that we take whe
> the service is started with a local admin account?
>
> Thanks in advance and best Regards
>
> Pascal
>



Posted by Ondrej Sevecek on January 11, 2006, 6:10 am
Please log in for more thread options
there is quite no difference between local system account and local
administrator account from the security point of view.

Only be sure to have the local admin's password different from other
computers or rename the account. This is because running under the user
account the application can access network under its identity as long as it
has the same name and password as some other user on the network (either
local on different computer or a domain user).


O.



> Can anybody help me with the following problem:
>
> I have a Web-Server in a DMZ. It runs a web Service for a 3rd party web
> application. For this application to function properly, it is required
> to run this server with an account that is in the local administrators
> group on this server instead of the local system account.
>
> Can someone tell me something about the security risks that we take whe
> the service is started with a local admin account?
>
> Thanks in advance and best Regards
>
> Pascal
>



Posted by Ondrej Sevecek on January 11, 2006, 6:26 am
Please log in for more thread options
one more note: even running under the local system account on a computer
that is joined to domain the application can access network, but will always
be only member of "Domain Computers" group there, so only a "Authenticates
Users" group rights will be applied.


O.


"Ondrej Sevecek" <ondra at my_surname dot com> wrote in message
> there is quite no difference between local system account and local
> administrator account from the security point of view.
>
> Only be sure to have the local admin's password different from other
> computers or rename the account. This is because running under the user
> account the application can access network under its identity as long as
> it has the same name and password as some other user on the network
> (either local on different computer or a domain user).
>
>
> O.
>
>
>
>> Can anybody help me with the following problem:
>>
>> I have a Web-Server in a DMZ. It runs a web Service for a 3rd party web
>> application. For this application to function properly, it is required
>> to run this server with an account that is in the local administrators
>> group on this server instead of the local system account.
>>
>> Can someone tell me something about the security risks that we take whe
>> the service is started with a local admin account?
>>
>> Thanks in advance and best Regards
>>
>> Pascal
>>
>
>



Similar ThreadsPosted
Local Administrator Account April 17, 2007, 7:28 pm
Allowing a local account to log on as batch/service? July 18, 2005, 2:15 am
Local account tries to authenticate to DC when service starts August 14, 2006, 10:09 am
Main Administrator account doesn't have Administrator groups right March 1, 2006, 2:35 pm
Is local system account member of local Administrators group? June 21, 2005, 11:33 am
set service start permissions to Administrator only August 17, 2007, 6:13 pm
Restricting service accounts that have administrator privileges July 8, 2007, 12:10 pm
Administrator account July 6, 2007, 12:43 pm
Service Account Passwords November 29, 2005, 12:32 am
Administrator account locking out April 1, 2006, 9:22 am

Our other projects:

Art Dolls, Fairies and Mermaids - Sunnyfaces.net

Roy's Linux, Programming and Search Engines messages

1-Script XML SitemapXML Sitemap