“本地系统"帐户和“网络服务"帐户的区别? [英] The difference between the 'Local System' account and the 'Network Service' account?

问题描述

我编写了一个 Windows 服务，它会生成一个单独的进程.此过程创建一个 COM 对象.如果服务在本地系统"帐户下运行，一切正常，但如果服务在网络服务"帐户下运行，则外部进程启动但无法创建 COM 对象.COM 对象创建返回的错误不是标准 COM 错误(我认为它特定于正在创建的 COM 对象).

I have written a Windows service that spawns a separate process. This process creates a COM object. If the service runs under the 'Local System' account everything works fine, but if the service runs under the 'Network Service' account, the external process starts up but it fails to create the COM object. The error returned from the COM object creation is not a standard COM error (I think it's specific to the COM object being created).

那么，我如何确定本地系统"和网络服务"这两个帐户有何不同?这些内置帐户看起来很神秘，似乎没有人对它们了解很多.

So, how do I determine how the two accounts, 'Local System' and 'Network Service' differ? These built-in accounts seem very mysterious and nobody seems to know much about them.

推荐答案

由于对标准服务帐户的功能有太多的困惑，我将尝试快速介绍一下.

Since there is so much confusion about functionality of standard service accounts, I'll try to give a quick run down.

首先是实际账户:

• LocalService 帐户(首选)

• LocalService account (preferred)

与网络服务非常相似的受限服务帐户，旨在运行标准的最低特权服务.但是，与网络服务不同的是，它以匿名用户的身份访问网络.

A limited service account that is very similar to Network Service and meant to run standard least-privileged services. However, unlike Network Service it accesses the network as an Anonymous user.

• 名称:NT AUTHORITY\LocalService
• 该帐户没有密码(您提供的任何密码信息都将被忽略)
• HKCU 代表 LocalService 用户帐户
• 在本地计算机上具有最低权限
• 在网络上展示匿名凭据
• SID:S-1-5-19
• 在 HKEY_USERS 注册表项 (HKEY_USERS\S-1-5-19) 下有自己的配置文件

• Name: NT AUTHORITY\LocalService
• the account has no password (any password information you provide is ignored)
• HKCU represents the LocalService user account
• has minimal privileges on the local computer
• presents anonymous credentials on the network
• SID: S-1-5-19
• has its own profile under the HKEY_USERS registry key (HKEY_USERS\S-1-5-19)

 

NetworkService 帐户

旨在运行标准特权服务的有限服务帐户.此帐户比本地系统(甚至管理员)受限得多，但仍有权作为机器访问网络(请参阅上面的警告).

Limited service account that is meant to run standard privileged services. This account is far more limited than Local System (or even Administrator) but still has the right to access the network as the machine (see caveat above).

• NT AUTHORITY\NetworkService
• 该帐户没有密码(您提供的任何密码信息都将被忽略)
• HKCU 代表 NetworkService 用户帐户
• 在本地计算机上具有最低权限
• 向远程服务器提供计算机的凭据(例如 MANGO$)
• SID:S-1-5-20
• 在 HKEY_USERS 注册表项 (HKEY_USERS\S-1-5-20) 下有自己的配置文件
• 如果尝试使用它来安排任务，请在选择用户或组对话框中输入 NETWORK SERVICE

• NT AUTHORITY\NetworkService
• the account has no password (any password information you provide is ignored)
• HKCU represents the NetworkService user account
• has minimal privileges on the local computer
• presents the computer's credentials (e.g. MANGO$) to remote servers
• SID: S-1-5-20
• has its own profile under the HKEY_USERS registry key (HKEY_USERS\S-1-5-20)
• If trying to schedule a task using it, enter NETWORK SERVICE into the Select User or Group dialog

 

LocalSystem 帐户 (危险，请勿使用！)

完全受信任的帐户，比管理员帐户更受信任.单机上没有这个账号做不到的事情，它有作为机器访问网络的权限(这需要Active Directory并授予机器帐户权限)

Completely trusted account, more so than the administrator account. There is nothing on a single box that this account cannot do, and it has the right to access the network as the machine (this requires Active Directory and granting the machine account permissions to something)

• 名称:.\LocalSystem(也可以使用LocalSystem 或ComputerName\LocalSystem)
• 该帐户没有密码(您提供的任何密码信息都将被忽略)
• SID:S-1-5-18
• 没有任何自己的个人资料(HKCU 代表默认用户)
• 在本地计算机上具有广泛的权限
• 向远程服务器提供计算机的凭据(例如 MANGO$)

• Name: .\LocalSystem (can also use LocalSystem or ComputerName\LocalSystem)
• the account has no password (any password information you provide is ignored)
• SID: S-1-5-18
• does not have any profile of its own (HKCU represents the default user)
• has extensive privileges on the local computer
• presents the computer's credentials (e.g. MANGO$) to remote servers

 

以上谈到访问网络时，仅指SPNEGO(协商)、NTLM和 Kerberos 而不是任何其他身份验证机制.例如，作为 LocalService 运行的处理仍然可以访问互联网.

Above when talking about accessing the network, this refers solely to SPNEGO (Negotiate), NTLM and Kerberos and not to any other authentication mechanism. For example, processing running as LocalService can still access the internet.

作为开箱即用的标准帐户运行的一般问题是，如果您修改任何默认权限，您将扩展该帐户可以执行的所有操作.因此，如果您将 DBO 授予一个数据库，那么您不仅可以作为本地服务或网络服务运行的服务访问该数据库，还可以访问以这些帐户运行的所有其他内容.如果每个开发人员都这样做，那么计算机将拥有一个有权执行几乎任何操作的服务帐户(更具体地说，是授予该帐户的所有不同附加权限的超集).

The general issue with running as a standard out of the box account is that if you modify any of the default permissions you're expanding the set of things everything running as that account can do. So if you grant DBO to a database, not only can your service running as Local Service or Network Service access that database but everything else running as those accounts can too. If every developer does this the computer will have a service account that has permissions to do practically anything (more specifically the superset of all of the different additional privileges granted to that account).

从安全角度来看，作为您自己的服务帐户运行总是更可取的，该帐户拥有您执行服务所需的权限，而不是其他任何内容.但是，这种方法的成本是设置您的服务帐户和管理密码.这是每个应用程序都需要管理的平衡行为.

It is always preferable from a security perspective to run as your own service account that has precisely the permissions you need to do what your service does and nothing else. However, the cost of this approach is setting up your service account, and managing the password. It's a balancing act that each application needs to manage.

在您的特定情况下，您可能看到的问题是 DCOM 或 COM+ 激活仅限于给定的一组帐户.在 Windows XP SP2、Windows Server 2003 及更高版本中，激活权限受到显着限制.您应该使用组件服务 MMC 管理单元来检查您的特定 COM 对象并查看激活权限.如果您没有以机器帐户身份访问网络上的任何内容，您应该认真考虑使用本地服务(而不是本地系统，它基本上是操作系统).

In your specific case, the issue that you are probably seeing is that the the DCOM or COM+ activation is limited to a given set of accounts. In Windows XP SP2, Windows Server 2003, and above the Activation permission was restricted significantly. You should use the Component Services MMC snapin to examine your specific COM object and see the activation permissions. If you're not accessing anything on the network as the machine account you should seriously consider using Local Service (not Local System which is basically the operating system).

在 Windows Server 2003 您不能运行计划任务

In Windows Server 2003 you cannot run a scheduled task as

• NT_AUTHORITY\LocalService(也称为本地服务帐户)，或
• NT AUTHORITY\NetworkService(又名网络服务帐户).

• NT_AUTHORITY\LocalService (aka the Local Service account), or
• NT AUTHORITY\NetworkService (aka the Network Service account).

该功能仅在任务 Scheduler 2.0，仅存在于 Windows Vista/Windows Server 2008 及更新版本中.

That capability only was added with Task Scheduler 2.0, which only exists in Windows Vista/Windows Server 2008 and newer.

作为 NetworkService 运行的服务在网络上提供机器凭据.这意味着如果您的计算机名为 mango，它将显示为机器帐户 芒果$:

A service running as NetworkService presents the machine credentials on the network. This means that if your computer was called mango, it would present as the machine account MANGO$:

这篇关于“本地系统"帐户和“网络服务"帐户的区别?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！