在本地管理员帐户下运行服务被认为是不好的做法吗？ [英] Is it considered bad practice to run a service under a local admin account?

问题描述

我有一个监视本地文件系统并编辑图像的Windows服务。它在本地管理员帐户下运行。有风险吗？机器不在线。但是可以通过域名访问。



我尝试过：



我尝试将其作为本地管理员帐户运行。 IT部门反对。

解决方案

IT部门不喜欢，因为本地管理权限允许您的服务做任何事情，他们可能不会查看代码。



如果您的服务有单点故障，机器可能会受到损害。



什么是真正需要一个具有管理员权限的Windows服务？

是的，这是不好的做法。通常，您将为服务创建一个用户帐户，并根据您的服务要求适当修改帐户，并仅为其提供完成工作所需的最低权限。



这可以减少服务的攻击面，并在您的服务受到损害时降低安全风险。



您的IT部门否认您这是正确的访问。

I have a windows service that watches local file system and edits images. It runs under Local Admin account. Is that risky? Machine is not online. But accessible by a domain that is.

What I have tried:

I tried running it as Local Admin Account. The IT department objected.

解决方案

The IT department does not like because local administration permissions allow your service to do anything, and they probably will not look at the code.

If your service has a single point of failure, the machine can be compromised.

What is the real need to have a windows service with admin rights?

YES, it's bad practice. Normally you would create a user account for the service to run under and modify the account appropriately for your services requirements and give it only the minimum permissions it needs to do its job.

This cuts down on the attack surface of your service and cuts down on the security risk should your service become compromised.

Your IT department is correct in denying you this access.

这篇关于在本地管理员帐户下运行服务被认为是不好的做法吗？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！