locked
Are "Virtual Accounts" more secure than "Local Service" accounts? RRS feed

 > 

  • Question

  • Question
    Sign in to vote
    0
    Sign in to vote

    I see that a lot of Windows services can be configured to use "Virtual Accounts" rather than the built-in "Local Service" account.

    Is the former more secure than the latter?

    Would is be a good idea, from a security perspective, to run services as "Virtual" rather than "Local"?

    Ed

    Tuesday, April 23, 2013 9:28 PM

Answers

  • Question
    Sign in to vote
    1
    Sign in to vote
    Hi,

    Thanks for posting in Microsoft TechNet forums.

    “Virtual accounts in Windows Server 2008 R2 and Windows 7 are "managed local accounts" that provide the following features to simplify service administration:

    No password management is required.

    The ability to access the network with a computer identity in a domain environment.”

    The following article might be helpful to you:

    Service Accounts Step-by-Step Guide

    http://technet.microsoft.com/en-us/library/dd548356(v=ws.10).aspx

    Regards

    Kevin
    • Marked as answer by 朱鸿文 Monday, May 6, 2013 4:26 AM
    Friday, April 26, 2013 2:55 AM
  • Question
    Sign in to vote
    0
    Sign in to vote

    yes, they are "more secure". When two processes run under the same identity, the two of them can mutually access their memory spaces, read and modify data segments, debug each other, stop and trace, modify their processor registry etc. For this reason, if you want to separate two processes, you must run them under different identities. You can always use domain user accounts. But such accounts fall under password policies, regular password changes etc. So if you use the "virtual" service identities, you don't need to bother with the management while still have the security separation.

    Note that although the service identities are separated locally, they are not distinguishable in the network. if any service is running under the NT SERVICE or IIS AppPool identity, they access network resource under their local computer account (SERVER08$) just like Network Service does.

    ondrej.

    • Marked as answer by 朱鸿文 Monday, May 6, 2013 4:26 AM
    Friday, April 26, 2013 7:20 AM
  • Question
    Sign in to vote
    0
    Sign in to vote
    In addition to Ondrej Sevecek: Virtual accounts have a SID on the local machine, which means that they can be assigned local permissions such as file system rights. This is used for example with IIS 7 web sites which by default run under separate virtual accounts. You can then assign permissions in the file system to prevent different web applications from accessing each others data.

    There are two hard things in computer science: cache invalidation, naming things, and off-by-one errors

    • Marked as answer by 朱鸿文 Monday, May 6, 2013 4:26 AM
    Friday, April 26, 2013 7:34 AM

All replies

  • Question
    Sign in to vote
    1
    Sign in to vote
    Hi,

    Thanks for posting in Microsoft TechNet forums.

    “Virtual accounts in Windows Server 2008 R2 and Windows 7 are "managed local accounts" that provide the following features to simplify service administration:

    No password management is required.

    The ability to access the network with a computer identity in a domain environment.”

    The following article might be helpful to you:

    Service Accounts Step-by-Step Guide

    http://technet.microsoft.com/en-us/library/dd548356(v=ws.10).aspx

    Regards

    Kevin
    • Marked as answer by 朱鸿文 Monday, May 6, 2013 4:26 AM
    Friday, April 26, 2013 2:55 AM
  • Question
    Sign in to vote
    0
    Sign in to vote

    yes, they are "more secure". When two processes run under the same identity, the two of them can mutually access their memory spaces, read and modify data segments, debug each other, stop and trace, modify their processor registry etc. For this reason, if you want to separate two processes, you must run them under different identities. You can always use domain user accounts. But such accounts fall under password policies, regular password changes etc. So if you use the "virtual" service identities, you don't need to bother with the management while still have the security separation.

    Note that although the service identities are separated locally, they are not distinguishable in the network. if any service is running under the NT SERVICE or IIS AppPool identity, they access network resource under their local computer account (SERVER08$) just like Network Service does.

    ondrej.

    • Marked as answer by 朱鸿文 Monday, May 6, 2013 4:26 AM
    Friday, April 26, 2013 7:20 AM
  • Question
    Sign in to vote
    0
    Sign in to vote
    In addition to Ondrej Sevecek: Virtual accounts have a SID on the local machine, which means that they can be assigned local permissions such as file system rights. This is used for example with IIS 7 web sites which by default run under separate virtual accounts. You can then assign permissions in the file system to prevent different web applications from accessing each others data.

    There are two hard things in computer science: cache invalidation, naming things, and off-by-one errors

    • Marked as answer by 朱鸿文 Monday, May 6, 2013 4:26 AM
    Friday, April 26, 2013 7:34 AM