none
Best practices for service accounts to run local services on servers and machines

    Question

  • Folks:

    I am moving from Linux to Windows Server; however, I want to know the best practices for running local services. Is it better to run services as a domain user or should I create local accounts to run services on my boxes (servers/desktops).

     

    Thanks.

    Sunday, July 31, 2011 2:09 PM

Answers

All replies

  • Hello,

    this depends on your requirements. If the account should fulfill domain wide operations, like backup, then you should create a domain user only with the required permissions to do the job.

    If this is a single machine requirement a local user can be enough.

    With the start from Windows server 2008 R2 you can use the so called managed service accounts:

    http://technet.microsoft.com/en-us/library/ff641731(WS.10).aspx  http://technet.microsoft.com/en-us/library/dd548356(WS.10).aspx


    Best regards Meinolf Weber Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.
    Sunday, July 31, 2011 2:16 PM
  • I agree with Meinolf.  If this is service is needed on only one system and the system will not interact with any other system on the domain, there is no need to run the service account using a domain user.  However, if the service will run on multiple systems, or you have a system that interacts with other domain systems (as in the case of backup), use a domain user account.

     


    anITKB Visit anITKB.com, an IT Knowledge Base.
    facebook Follow me on Facebook.
    Sunday, July 31, 2011 2:37 PM
  • Just to add my bit, I think this can be summarized as the principle of least privelige:  Give the service the minimum rights it needs to do its task.
    If you found this post helpful, please give it a "Helpful" vote. If it answered your question, remember to mark it as an "Answer".
    Sunday, July 31, 2011 2:43 PM
  • Hello,

    like Meinolf said, the account to use for running services depends of the used application / service.

    What I recommend is using accounts with minimum of privileges to run services / applications.

    Note that running services / applications with user accounts may causes lockout problems if the user password changed and the service / application is still running using the old password.

     


    This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.

    Microsoft Student Partner 2010 / 2011
    Microsoft Certified Professional
    Microsoft Certified Systems Administrator: Security
    Microsoft Certified Systems Engineer: Security
    Microsoft Certified Technology Specialist: Windows Server 2008 Active Directory, Configuration
    Microsoft Certified Technology Specialist: Windows Server 2008 Network Infrastructure, Configuration
    Microsoft Certified Technology Specialist: Windows Server 2008 Applications Infrastructure, Configuration
    Microsoft Certified Technology Specialist: Windows 7, Configuring
    Microsoft Certified IT Professional: Enterprise Administrator

    Sunday, July 31, 2011 2:51 PM
  • Mr X, this is a cause of dillemma for me.  I have many applications that need domain priveliges to function correctly.  I am using a SBS domain, and it is a recommended practice to only have one domain administrator.

    So, I could create another account with domain admin priveliges, with password that won't expire, and use this for these various applications and services, but this would be bad security practice.  As a result, every time I have to change my domain admin password, I have to 'fix' everything that was relying on it.


    If you found this post helpful, please give it a "Helpful" vote. If it answered your question, remember to mark it as an "Answer".
    Sunday, July 31, 2011 4:04 PM
  • Hello Bigteddy,

    it is recommended to have only the minimum domain admins you need to have but this can be still more then one.

    And you should NEVER use a domain admin account that is yours to run any kind of service. If the required privileges are so high that domain admin permissions are required then you should create a dedicated account with a really long and strong password that will NEVER be used to logon.

    But you should always try to find the required permissions and user rights assignments, so the domain admin permissions are not needed. Also if possible you should apply ther required permissions to a seprate OU with that machine only so no other server is effected from special settings. ProcessMonitor is one tool that may help you to figure out permissions and also the application vendor should provide you with details about.


    Best regards Meinolf Weber Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.
    Sunday, July 31, 2011 4:13 PM
  • Yes, Meinholf, I thought it was a bit strange, having to fix things like McAfee server (requires domain priveliges to install apps on pcs) every few weeks!  Thanks for the tip!
    If you found this post helpful, please give it a "Helpful" vote. If it answered your question, remember to mark it as an "Answer".
    Sunday, July 31, 2011 4:19 PM
  • Hello,

    McAfee do NOT require domain admin permissions to install the software, local admin is enough, please see the 3 pages of the following thread from the McAfee forum: https://community.mcafee.com/thread/24435?start=0&tstart=0

    It include also the link to this article: https://kc.mcafee.com/corporate/index?page=content&id=KB60351


    Best regards Meinolf Weber Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.
    Sunday, July 31, 2011 4:32 PM
  • I read the thread, and it does address my situation.  I am using ePo to push deploy AV clients, agents, and updates to these.  I see they say only local admin rights are required, but I can't seem to get to the second link you posted, nor from the thread itself.

    It doesn't make sense to me how a user without admin rights on the remote machine can install software on that machine.  The local admin on my McAfee server has no admin rights on the workstations that it controls.


    If you found this post helpful, please give it a "Helpful" vote. If it answered your question, remember to mark it as an "Answer".
    Sunday, July 31, 2011 4:52 PM
  • Hello,

    now i also cannot access the link anymore, strange.

    You can add the account that should become local admin, in your case the installation account, with restricted groups to the local machine admins: http://www.frickelsoft.net/blog/?p=13

    If you still have problems please ask in the McAfee forum how to handle it.


    Best regards Meinolf Weber Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.
    Sunday, July 31, 2011 5:09 PM
  • What would be the easiest way to determine the level of permissions for an application, so I can delegate the correct permission levels? Is this more of a trial and error process?
    Monday, August 01, 2011 12:44 PM
  • My advice is also when creating new service accounts, save yourself some headache by naming them something that makes sense like "SVC_MyApp"  that way, you can always spot it, know what that account does (it's a service account!) and if the account starts tossing errors, it can help with troubleshooting, for example, your looking in the event logs and see the message "SVC_MyApp has been locked out"
    -- :P Advice offered, If you need more help it is advised to seek the council and advice of paid professionals. The answer is always 42, or reboot.
    Monday, August 01, 2011 1:06 PM
  • Managed service accounts is the best solution, but if that is not an option (domain not at W2k8 R2 functional level), I create a dedicated domain user account with only the permissions required. However, to avoid problems I need to set the flag for "Password never expires", then give the account a ridiculously long and complex password. I have not had problems with lockouts, but if I did I would not disable account lockouts. If someone attacks the account password, I want the account to be locked out.

     


    Richard Mueller - MVP Directory Services
    Monday, August 01, 2011 1:55 PM
  • Managed service accounts is the best solution, but if that is not an option (domain not at W2k8 R2 functional level), I create a dedicated domain user account with only the permissions required. However, to avoid problems I need to set the flag for "Password never expires", then give the account a ridiculously long and complex password. I have not had problems with lockouts, but if I did I would not disable account lockouts. If someone attacks the account password, I want the account to be locked out.

     


    Richard Mueller - MVP Directory Services

    Is there an automated tool from Microsoft that will email you or inform you that an account has been locked out?
    Monday, August 01, 2011 8:15 PM