没有网络访问权限的虚拟服务帐户，例如NT AUTHORITY \ LocalService [英] Virtual Service Account without Network Access, like NT AUTHORITY\LocalService

问题描述

背景:我正在编写服务，并希望为它提供尽可能少的特权.

Background: I'm writing a service and want to give it as few privileges as necessary.

虚拟帐户(有时是虚拟服务帐户")是

Virtual Accounts (sometimes "Virtual Service Accounts") are sparsely documented feature new to Windows 7/2008R2 that are automatically managed accounts for services that need minimal privileges but access the network with a computer identity in a domain environment.

我的服务不需要网络访问，所以我使用的是LocalService，但我不喜欢这样的事实，即如果我授予对文件/等的访问权限，那么我将授予对以该帐户运行的所有服务的访问权限.

My service doesn't need network access, so I'm using LocalService, but I don't like the fact that if I grant access to a file/etc I granting access to all services running as that account.

有没有我可以使用的特权最低的帐户?

Is there a least privileged account I can use?

推荐答案

您无需更改运行该服务的帐户； LocalService很好.

You don't need to change the account the service runs under; LocalService is fine.

相反，将服务配置为具有 ChangeServiceConfig2( )功能和SERVICE_CONFIG_SERVICE_SID_INFO选项.

Instead, configure the service to have a non-zero SID type, i.e., specify either SERVICE_SID_TYPE_UNRESTRICTED or SERVICE_SID_TYPE_RESTRICTED. You can do this using the ChangeServiceConfig2() function and the SERVICE_CONFIG_SERVICE_SID_INFO option.

然后，您可以使用名称为NT SERVICE\myservice而不是LocalService的服务SID授予对文件和其他受保护资源的访问权限.这将仅授予您的服务访问权限. (好吧，其他任何服务都共享同一进程，但是大多数第三方服务都在各自的进程中运行.)

You can then grant access to files and other protected resources using the service SID, whose name is NT SERVICE\myservice, rather than LocalService. This will grant access to only your service. (Well, and any other services sharing the same process, but most third-party services run in their own process.)

要获得最低特权，请使用SERVICE_SID_TYPE_RESTRICTED.这意味着服务只能访问显式授予对Everyone，服务SID，登录会话SID或WRITE_RESTRICTED的访问权限的受保护对象.您还应该使用SERVICE_CONFIG_REQUIRED_PRIVILEGES_INFO选项来减少授予服务的特权.许多服务根本不需要任何特权. (在那种情况下，您可能会发现需要指定SE_CHANGE_NOTIFY_NAME而不是空白列表，尽管我可能记错了.)

For least privilege, use SERVICE_SID_TYPE_RESTRICTED. This means that the service can only access protected objects that explicitly grant access to either Everyone, the service SID, the logon session SID, or WRITE_RESTRICTED. You should also use the SERVICE_CONFIG_REQUIRED_PRIVILEGES_INFO option to reduce the privileges granted to the service; many services do not need any privileges at all. (In that case, you may find that you need to specify SE_CHANGE_NOTIFY_NAME rather than an empty list, though I might be misremembering.)

这篇关于没有网络访问权限的虚拟服务帐户，例如NT AUTHORITY \ LocalService的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！