I have written a .NET Windows service which runs as "Local System". Recently I read that, running as local system might expose system credential to hackers enabling them to take over the system. What are the risks involved and how can I prevent them when I run service as Local System.
The Local Service principal is tailored to services that only access local resources and don't need access to other network resources. The Network Service account, on the other hand, is tailored to services or applications that do need access to network resources.
When a service runs under the LocalSystem account on a computer that is a domain member, the service has whatever network access is granted to the computer account, or to any groups of which the computer account is a member.
The LocalSystem account is a predefined local account used by the service control manager. This account is not recognized by the security subsystem, so you cannot specify its name in a call to the LookupAccountName function. It has extensive privileges on the local computer, and acts as the computer on the network.
The main difference between the Administrator and SYSTEM is that Administrator is an actual account (for example, it has a password) whereas SYSTEM is not. (Properly speaking, SYSTEM is a "security principal".)
Services running as LocalSystem
are part of the system's trusted space. Technically speaking, they have the SeTcbName
privilege. This means, inter alia, that such services can alter any security settings, grant themselves any privileges, and generally do anything Windows can do.
As a result, any flaw in your service — unsanitized input passed to system functions, bad dll search paths, buffer overruns, whatever — becomes a critical security hole. This is why no system administrator in an enterprise environment will permit your service to be installed if it runs under LocalSystem
. Use the LocalService
and NetworkService
accounts.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With