没有网络访问权限的虚拟服务帐户,例如NT AUTHORITY \ LocalService [英] Virtual Service Account without Network Access, like NT AUTHORITY\LocalService
问题描述
背景:我正在编写服务,并希望为它提供尽可能少的特权.
Background: I'm writing a service and want to give it as few privileges as necessary.
Virtual Accounts (sometimes "Virtual Service Accounts") are sparsely documented feature new to Windows 7/2008R2 that are automatically managed accounts for services that need minimal privileges but access the network with a computer identity in a domain environment.
我的服务不需要网络访问,所以我使用的是LocalService,但我不喜欢这样的事实,即如果我授予对文件/等的访问权限,那么我将授予对以该帐户运行的所有服务的访问权限.
My service doesn't need network access, so I'm using LocalService, but I don't like the fact that if I grant access to a file/etc I granting access to all services running as that account.
有没有我可以使用的特权最低的帐户?
Is there a least privileged account I can use?
推荐答案
您无需更改运行该服务的帐户; LocalService
很好.
You don't need to change the account the service runs under; LocalService
is fine.
相反,将服务配置为具有 ChangeServiceConfig2( )功能和SERVICE_CONFIG_SERVICE_SID_INFO
选项.
Instead, configure the service to have a non-zero SID type, i.e., specify either SERVICE_SID_TYPE_UNRESTRICTED
or SERVICE_SID_TYPE_RESTRICTED
. You can do this using the ChangeServiceConfig2() function and the SERVICE_CONFIG_SERVICE_SID_INFO
option.
然后,您可以使用名称为NT SERVICE\myservice
而不是LocalService
的服务SID授予对文件和其他受保护资源的访问权限.这将仅授予您的服务访问权限. (好吧,其他任何服务都共享同一进程,但是大多数第三方服务都在各自的进程中运行.)
You can then grant access to files and other protected resources using the service SID, whose name is NT SERVICE\myservice
, rather than LocalService
. This will grant access to only your service. (Well, and any other services sharing the same process, but most third-party services run in their own process.)
要获得最低特权,请使用SERVICE_SID_TYPE_RESTRICTED
.这意味着服务只能访问显式授予对Everyone
,服务SID,登录会话SID或WRITE_RESTRICTED
的访问权限的受保护对象.您还应该使用SERVICE_CONFIG_REQUIRED_PRIVILEGES_INFO
选项来减少授予服务的特权.许多服务根本不需要任何特权. (在那种情况下,您可能会发现需要指定SE_CHANGE_NOTIFY_NAME
而不是空白列表,尽管我可能记错了.)
For least privilege, use SERVICE_SID_TYPE_RESTRICTED
. This means that the service can only access protected objects that explicitly grant access to either Everyone
, the service SID, the logon session SID, or WRITE_RESTRICTED
. You should also use the SERVICE_CONFIG_REQUIRED_PRIVILEGES_INFO
option to reduce the privileges granted to the service; many services do not need any privileges at all. (In that case, you may find that you need to specify SE_CHANGE_NOTIFY_NAME
rather than an empty list, though I might be misremembering.)
这篇关于没有网络访问权限的虚拟服务帐户,例如NT AUTHORITY \ LocalService的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!