local admin security question

Discussion:

(too old to reply)

Jeff Pigott

2005-04-05 21:26:10 UTC

Can anyone suggest whether to use Local Admin service as a Windows service
account for our .NET ADO applicaiton or create a user with Admin privledges
to use for this account?

Is one better than the other?

Thanks,

Jeff

Joe Kaplan (MVP - ADSI)

2005-04-05 22:05:26 UTC

Permalink

If you are concerned about security, then it is probably best to avoid using
an account that has admin privileges at all. Does your app absolutely
require that?

The question of local account vs. domain account depends on whether the
service needs to access domain resources on the network.

If you really need admin privileges and only need a local machine account,
then creating a different user is probably a good idea because then you can
change the regular administrator password easily without breaking your
service.

Joe K.

Post by Jeff Pigott
Can anyone suggest whether to use Local Admin service as a Windows service
account for our .NET ADO applicaiton or create a user with Admin
privledges to use for this account?
Is one better than the other?
Thanks,
Jeff

Jeff Pigott

2005-04-05 22:15:07 UTC

Permalink

Our app doesn't require it, we are just having problems with Systems that do
not use English on the initial install during the Windows 2003 Server
install. They install it as Spansh, and our Windows Service need to use a
regional setting of English. So we found out we need to use a user account
vs. a "local admin" account. Are there any whitepapers on locking a user
account down just to a Windows Service?
---------

Post by Joe Kaplan (MVP - ADSI)
If you are concerned about security, then it is probably best to avoid
using an account that has admin privileges at all. Does your app
absolutely require that?
The question of local account vs. domain account depends on whether the
service needs to access domain resources on the network.
If you really need admin privileges and only need a local machine account,
then creating a different user is probably a good idea because then you
can change the regular administrator password easily without breaking your
service.
Joe K.

Post by Jeff Pigott
Can anyone suggest whether to use Local Admin service as a Windows
service account for our .NET ADO applicaiton or create a user with Admin
privledges to use for this account?
Is one better than the other?
Thanks,
Jeff

Joe Kaplan (MVP - ADSI)

2005-04-06 00:53:02 UTC

Permalink

If you are deploying to 2003, why not try using the NETWORK SERVICE account?
It is essentially a local user in terms of permissions, but uses the
computer's account for network credentials. If you don't need network
credentials, you can use LOCAL SERVICE.

If there is an internationalization issue related to the names of these
accounts, it seems like using the SIDs to reference them would be the way to
go. However, I know very little about MSI or internationalization, so I
can't help too much with any details there.

Joe K.

Post by Jeff Pigott
Our app doesn't require it, we are just having problems with Systems that
do not use English on the initial install during the Windows 2003 Server
install. They install it as Spansh, and our Windows Service need to use a
regional setting of English. So we found out we need to use a user account
vs. a "local admin" account. Are there any whitepapers on locking a user
account down just to a Windows Service?
---------

Post by Joe Kaplan (MVP - ADSI)
If you are concerned about security, then it is probably best to avoid
using an account that has admin privileges at all. Does your app
absolutely require that?
The question of local account vs. domain account depends on whether the
service needs to access domain resources on the network.
If you really need admin privileges and only need a local machine
account, then creating a different user is probably a good idea because
then you can change the regular administrator password easily without
breaking your service.
Joe K.

Post by Jeff Pigott
Can anyone suggest whether to use Local Admin service as a Windows
service account for our .NET ADO applicaiton or create a user with Admin
privledges to use for this account?
Is one better than the other?
Thanks,
Jeff

Jeff Pigott

2005-04-06 02:19:06 UTC

Permalink

We are using the service mainly for .NET remoting clients to connect to,
without using any Windows authentication. Is there a way to set a Region
Language to the Network Service, or will it also use the same as the Local
System Account.
Thanks for your input.

Jeff

Post by Joe Kaplan (MVP - ADSI)
If you are deploying to 2003, why not try using the NETWORK SERVICE
account? It is essentially a local user in terms of permissions, but uses
the computer's account for network credentials. If you don't need network
credentials, you can use LOCAL SERVICE.
If there is an internationalization issue related to the names of these
accounts, it seems like using the SIDs to reference them would be the way
to go. However, I know very little about MSI or internationalization, so
I can't help too much with any details there.
Joe K.

Post by Jeff Pigott
Our app doesn't require it, we are just having problems with Systems that
do not use English on the initial install during the Windows 2003 Server
install. They install it as Spansh, and our Windows Service need to use a
regional setting of English. So we found out we need to use a user
account vs. a "local admin" account. Are there any whitepapers on
locking a user account down just to a Windows Service?
---------

Post by Joe Kaplan (MVP - ADSI)
If you are concerned about security, then it is probably best to avoid
using an account that has admin privileges at all. Does your app
absolutely require that?
The question of local account vs. domain account depends on whether the
service needs to access domain resources on the network.
If you really need admin privileges and only need a local machine
account, then creating a different user is probably a good idea because
then you can change the regular administrator password easily without
breaking your service.
Joe K.

Post by Jeff Pigott
Can anyone suggest whether to use Local Admin service as a Windows
service account for our .NET ADO applicaiton or create a user with
Admin privledges to use for this account?
Is one better than the other?
Thanks,
Jeff

Joe Kaplan (MVP - ADSI)

2005-04-06 03:02:07 UTC

Permalink

Are you using the ServiceProcessInstaller to deploy the service? If so, you
should be able to use ServiceAccount.NetworkService or
ServiceAccount.LocalService to deploy on any language version. Otherwise,
I'm not sure what you are talking about. :)

Joe K.

Post by Jeff Pigott
We are using the service mainly for .NET remoting clients to connect to,
without using any Windows authentication. Is there a way to set a Region
Language to the Network Service, or will it also use the same as the Local
System Account.
Thanks for your input.
Jeff

Post by Joe Kaplan (MVP - ADSI)
If you are deploying to 2003, why not try using the NETWORK SERVICE
account? It is essentially a local user in terms of permissions, but uses
the computer's account for network credentials. If you don't need
network credentials, you can use LOCAL SERVICE.
If there is an internationalization issue related to the names of these
accounts, it seems like using the SIDs to reference them would be the way
to go. However, I know very little about MSI or internationalization, so
I can't help too much with any details there.
Joe K.

Post by Jeff Pigott
Our app doesn't require it, we are just having problems with Systems
that do not use English on the initial install during the Windows 2003
Server install. They install it as Spansh, and our Windows Service need
to use a regional setting of English. So we found out we need to use a
user account vs. a "local admin" account. Are there any whitepapers on
locking a user account down just to a Windows Service?
---------

Post by Joe Kaplan (MVP - ADSI)
If you are concerned about security, then it is probably best to avoid
using an account that has admin privileges at all. Does your app
absolutely require that?
The question of local account vs. domain account depends on whether the
service needs to access domain resources on the network.
If you really need admin privileges and only need a local machine
account, then creating a different user is probably a good idea because
then you can change the regular administrator password easily without
breaking your service.
Joe K.

Post by Jeff Pigott
Can anyone suggest whether to use Local Admin service as a Windows
service account for our .NET ADO applicaiton or create a user with
Admin privledges to use for this account?
Is one better than the other?
Thanks,
Jeff

Nicole Calinoiu

2005-04-06 11:17:05 UTC

Permalink

Why? What problems are being caused by the Spanish settings (e.g.:
exceptions, formatting anomalies, etc.)?

Post by Jeff Pigott
So we found out we need to use a user account vs. a "local admin" account.

Under what account was your service previously set to run? Have you
confirmed that changing the account actually resolves your problems, or is
the account change an untested possible solution?

Post by Jeff Pigott
Are there any whitepapers on locking a user account down just to a Windows
Service?
---------

Post by Joe Kaplan (MVP - ADSI)
If you are concerned about security, then it is probably best to avoid
using an account that has admin privileges at all. Does your app
absolutely require that?
The question of local account vs. domain account depends on whether the
service needs to access domain resources on the network.
If you really need admin privileges and only need a local machine
account, then creating a different user is probably a good idea because
then you can change the regular administrator password easily without
breaking your service.
Joe K.

Post by Jeff Pigott
Can anyone suggest whether to use Local Admin service as a Windows
service account for our .NET ADO applicaiton or create a user with Admin
privledges to use for this account?
Is one better than the other?
Thanks,
Jeff

Jeff Pigott

2005-04-06 14:37:49 UTC

Permalink

It appears that our Service is looking for US standards for date formats and
currency. When the server is configured as Spanish-Mexico in Regional
Settings and the service is started under LocalAdmin service, our app
doesn't work, but when we found that we were able to make a user account
with the US Regional settings and start the service with this account all is
well.

Is there a way in code to set the regional setting to US for the "service"
so it wouldn't matter what Regional settings were installed on the server?
That would be great?

Thanks,

Jeff
----

Post by Nicole Calinoiu

exceptions, formatting anomalies, etc.)?

Post by Jeff Pigott
So we found out we need to use a user account vs. a "local admin" account.

Under what account was your service previously set to run? Have you
confirmed that changing the account actually resolves your problems, or is
the account change an untested possible solution?

Post by Jeff Pigott
Are there any whitepapers on locking a user account down just to a
Windows Service?
---------

Post by Joe Kaplan (MVP - ADSI)
If you are concerned about security, then it is probably best to avoid
using an account that has admin privileges at all. Does your app
absolutely require that?
The question of local account vs. domain account depends on whether the
service needs to access domain resources on the network.
If you really need admin privileges and only need a local machine
account, then creating a different user is probably a good idea because
then you can change the regular administrator password easily without
breaking your service.
Joe K.

Post by Jeff Pigott
Can anyone suggest whether to use Local Admin service as a Windows
service account for our .NET ADO applicaiton or create a user with
Admin privledges to use for this account?
Is one better than the other?
Thanks,
Jeff

Nicole Calinoiu

2005-04-06 17:14:40 UTC

Permalink

Post by Jeff Pigott
It appears that our Service is looking for US standards for date formats
and currency.

Can you not override this using the Thread.CurrentCulture property? If not,
is the code with the problem your own code or something in the service
"plumbing"?

Post by Jeff Pigott
When the server is configured as Spanish-Mexico in Regional Settings and
the service is started under LocalAdmin service, our app doesn't work, but
when we found that we were able to make a user account with the US
Regional settings and start the service with this account all is well.
Is there a way in code to set the regional setting to US for the "service"
so it wouldn't matter what Regional settings were installed on the server?
That would be great?
Thanks,
Jeff
----

Post by Nicole Calinoiu

exceptions, formatting anomalies, etc.)?

Post by Jeff Pigott
So we found out we need to use a user account vs. a "local admin" account.

Under what account was your service previously set to run? Have you
confirmed that changing the account actually resolves your problems, or
is the account change an untested possible solution?

Post by Jeff Pigott
Are there any whitepapers on locking a user account down just to a
Windows Service?
---------

Post by Joe Kaplan (MVP - ADSI)
If you are concerned about security, then it is probably best to avoid
using an account that has admin privileges at all. Does your app
absolutely require that?
The question of local account vs. domain account depends on whether the
service needs to access domain resources on the network.
If you really need admin privileges and only need a local machine
account, then creating a different user is probably a good idea because
then you can change the regular administrator password easily without
breaking your service.
Joe K.

Post by Jeff Pigott
Can anyone suggest whether to use Local Admin service as a Windows
service account for our .NET ADO applicaiton or create a user with
Admin privledges to use for this account?
Is one better than the other?
Thanks,
Jeff