locked
context "NT AUTHORITY\"? RRS feed

  • Question

  • What does context "NT AUTHORITY\" (in system accounts "NETWORK SERVICE", "LOCAL SERVICE", "LOCAL SYSTEM") tell to developer (user of corresponding accounts)?

    Other accounts have context of "local" %COMPUTERNAME% of domain %DOMAINNAME%
    What are differences or distinguishing features that "NT AUTHORITY\" was created above/aside additionally to all other contexts?
    Why and how does it relate to other contexts?

    There are system accounts that have more mundane local or domain contexts.
    Why this context was added/separated from others?

    Friday, September 10, 2010 4:32 AM

All replies

  • NT Authority\* are internal Windows accounts. From a developer's perspective only network service and local service should be used. Local System is provided for backward compatibility only as it has high rights that no application should ever require.

    However, a developer should "probably" always use a domain or local user account to run their application under. Then this user account would only be granted the minimum rights required to perform the actions of the application.

    Friday, September 10, 2010 5:01 AM
  • Local Service Account - NT AUTHORITY\LOCAL SERVICE

    The Local Service account is a built-in account that has the same level of access to resources and objects as members of the Users group. This limited access helps safeguard the system if individual services or processes are compromised.

    Services that run as the Local Service account access network resources as a null session without credentials.

    Be aware that the Local Service account is not supported for the SQL Server or SQL Server Agent services.

    Network Service Account - NT AUTHORITY\NETWORK SERVICE

    The Network Service account is a built-in account that has more access to resources and objects than members of the Users group.

    Services that run as the Network Service account access network resources by using the credentials of the computer account

    Local System Account - NT AUTHORITY\SYSTEM

    Local System is a very high-privileged built-in account. It has extensive privileges on the local system and acts as the computer on the network. 

    Source:  Setting Up Windows Service Accounts


    Sivaprasad S http://sivasql.blogspot.com Please click the Mark as Answer button if a post solves your problem!
    Friday, September 10, 2010 6:12 AM
  • NT Authority\* are internal Windows accounts. From a developer's perspective only network service and local service should be used. Local System is provided for backward compatibility only as it has high rights that no application should ever require.

    However, a developer should "probably" always use a domain or local user account to run their application under. Then this user account would only be granted the minimum rights required to perform the actions of the application.


    What do you mean under "Local System is provided for backward compatibility"?

    I am ASP.NET+MSSQlServer developer on Windows XP Pro SP3 and most system services/servers there by default are setup under "Local System" (aka SYSTEM),
    for ex., IIS (inteinfo.exe) [1], without any configurable options during setup.
    Mostly I use IIS 5.1 and MSSQLServer 2008 R2 on the same machine,
    though, sometimes, I access them remotely on other workgroup and/or domained developer machines  with Windows XP Pro.

    Do you mean I should revamp and hack my Windows XP Pro?
    and how?


    Cited:
    [1]
    Chapter 10. Hacking IIS
    (from Hacking Exposed Windows Server 2003. The McGraw-Hill)
    http://techrepublic.com.com/i/tr/downloads/home/0072230614_chapter_10.pdf

     

    Sunday, September 12, 2010 9:25 AM
  • Are the LOCAL SYSTEM, LOCAL SERVICE and NETWORk SERVCIE accounts stored within the local Security Accounts Manager (SAM) database?
    or where?
    Sunday, September 12, 2010 10:46 AM
  • XP is coming to end of life. It is o/s - 2 (vista, w7). Current version of IIS is v7.

    XP is already out of mainstream support: http://support.microsoft.com/lifecycle/?p1=3223

    Sunday, September 12, 2010 11:04 AM
  • Network Service Account - NT AUTHORITY\NETWORK SERVICE

    The Network Service account is a built-in account that has more access to resources and objects than members of the Users group.

    Services that run as the Network Service account access network resources by using the credentials of the computer account

    In context of "Aaron Margosis. Machine SIDs and Domain SIDs" [1], which computer account: :

    • local machine computer account
      ("Machine SID for computer DEMOSYSTEM", from first table in [1])?
    •  domain computer account
      ("BIGDOMAIN\DEMOSYSTEM$ (computer account" from 2nd table [1])? 
    • or third one?  which one?

    Is it the same context (of NT Authority service accounts) in workgroup Windows-es and after joining to AD (Active Directory) domain Windows-es? 

    [1]
    Aaron Margosis.
    Machine SIDs and Domain SIDs
    http://blogs.msdn.com/aaron_margosis/archive/2009/11/05/machine-sids-and-domain-sids.aspx

    RELATED QUESTION:
    [2]
    NT AUTHORUTY services context - AD NETWORK SERVICE vs. workgroup (non-domained) NetworkService
    My question in Windows Server Security forum 
    http://social.technet.microsoft.com/Forums/en-US/winserversecurity/thread/5536e962-53de-4416-9076-d93cca137be3

     


    Wednesday, September 15, 2010 6:25 AM
  • XP is coming to end of life. It is o/s - 2 (vista, w7). Current version of IIS is v7.

    XP is already out of mainstream support: http://support.microsoft.com/lifecycle/?p1=3223


    Which question are you answering to?
    Where have I mentioned XP in my original question? I just made a mistake that I clarified my specific temporary current situation. Here is no point to hijack the topic.

    There is no "NT Authority" family accounts in Windows 7, 2003, 2008, Vista?

    OK, let's talk what have changed in them from XP to WIndows 7/2008.

    Wednesday, September 15, 2010 6:43 AM