Geek Answers Handbook

Why start the service as a local system on Windows?

I am trying to figure out the difference between the types of difference accounts. I hit this question.

The answer was caused by the fact that it has powerful access to local resources, and if possible, you should use a network service.

But still I cannot understand that if he has powerful access to local resources, how can an attacker gain access to an account? What are some ways to compromise an account? I realized that this is about security, but I do not know how to do it. It may be a dark hacker world, but anyone could explain in simple terms why a network service account is better than a local account?

Thanks in advance.

+4
source share
5 answers

Each program you run increases the attack surface of your server.

You must assume that a certain, malicious actor may use bugs or loopholes in your program to make him do anything. You reduce this by running your programs with the least privileges needed to complete your tasks.

Some of these exploits include:

  • Luring attacks in which an attacker tricks your program into executing its code under an elevated privilege program.

  • Buffer overflow attacks , in which additional data sent to a method is written to neighboring memory, which may be the target of flow control logic.

  • A person in medium attacks where an attacker fakes messages into your program.

Often this service is clearly not vulnerable to any of them. Networking (or another account with limited permissions) is a "better secure than sorry" strategy, which confirms two important facts of software development: programmers are wrong, and attackers are inventive.

+11
source

The local account has virtually full administrative privileges on the local computer. Consequently, any code that can escape the use of buffer overflows and execute its execution has significant potential for damage.

On the other hand, the default network service account only uses guest access to the local system. Therefore, even if an attacker managed to find a way to send and execute code inside the service, the code would have limited access.

+7
source

The LocalSystem account is the Windows equivalent of the root * nix account. It is even more privileged than an administrator account. When you work as LocalSystem, you have full access to each resource on the computer.

As others wrote, you must write your code to run with the least possible privileges.

The main difference between LocalService and NetworkService is that services running as NetworkService have the ability to authenticate to other computers in the domain (I consider it as the computer account).

Note that the LocalService and NetworkService accounts have the โ€œImpersonateโ€ privilege, which is a potentially dangerous privilege - it allows the service to impersonate the user who is calling the service. If this user is an administrator, then even if your code works in a low-priority service, he can do everything that the administrator does. If an attacker can use the buffer overflow in your service with the least privileges, they can connect the APIs that you use to impersonate your caller and wait for a call with a high privilege level to call your service. This method is known as Token Kidnapping, and MSRC has an excellent blog post describing the problem (and contains links describing how to mitigate many of the other risks associated with using LocalService and NetworkService accounts).

+6
source

If your service has an error that could allow an attacker to execute arbitrary code (for example, a buffer overflow), he can do everything with your computer if the service runs under a Local System account, which is equivalent to an administrator account. Thus, the smaller privileged account of your service works, the smaller privileges that an attacker can gain.

0
source

The simplest scenario is when the service allows the service user to execute some code on the command line. For example, MS SQL Server has a stored procedure that allows you to run a command line command (for example, run a program).

0
source

More articles:


All Articles