none
Are "Virtual Accounts" more secure than "Local Service" accounts?

    Question

  • I see that a lot of Windows services can be configured to use "Virtual Accounts" rather than the built-in "Local Service" account.

    Is the former more secure than the latter?

    Would is be a good idea, from a security perspective, to run services as "Virtual" rather than "Local"?

    Ed

    Tuesday, April 23, 2013 9:28 PM

Answers

  • Hi,

    Thanks for posting in Microsoft TechNet forums.

    “Virtual accounts in Windows Server 2008 R2 and Windows 7 are "managed local accounts" that provide the following features to simplify service administration:

    No password management is required.

    The ability to access the network with a computer identity in a domain environment.”

    The following article might be helpful to you:

    Service Accounts Step-by-Step Guide

    http://technet.microsoft.com/en-us/library/dd548356(v=ws.10).aspx

    Regards

    Kevin
    Friday, April 26, 2013 2:55 AM
  • yes, they are "more secure". When two processes run under the same identity, the two of them can mutually access their memory spaces, read and modify data segments, debug each other, stop and trace, modify their processor registry etc. For this reason, if you want to separate two processes, you must run them under different identities. You can always use domain user accounts. But such accounts fall under password policies, regular password changes etc. So if you use the "virtual" service identities, you don't need to bother with the management while still have the security separation.

    Note that although the service identities are separated locally, they are not distinguishable in the network. if any service is running under the NT SERVICE or IIS AppPool identity, they access network resource under their local computer account (SERVER08$) just like Network Service does.

    ondrej.

    Friday, April 26, 2013 7:20 AM
  • In addition to Ondrej Sevecek: Virtual accounts have a SID on the local machine, which means that they can be assigned local permissions such as file system rights. This is used for example with IIS 7 web sites which by default run under separate virtual accounts. You can then assign permissions in the file system to prevent different web applications from accessing each others data.

    There are two hard things in computer science: cache invalidation, naming things, and off-by-one errors

    Friday, April 26, 2013 7:34 AM

All replies

  • Hi,

    Thanks for posting in Microsoft TechNet forums.

    “Virtual accounts in Windows Server 2008 R2 and Windows 7 are "managed local accounts" that provide the following features to simplify service administration:

    No password management is required.

    The ability to access the network with a computer identity in a domain environment.”

    The following article might be helpful to you:

    Service Accounts Step-by-Step Guide

    http://technet.microsoft.com/en-us/library/dd548356(v=ws.10).aspx

    Regards

    Kevin
    Friday, April 26, 2013 2:55 AM
  • yes, they are "more secure". When two processes run under the same identity, the two of them can mutually access their memory spaces, read and modify data segments, debug each other, stop and trace, modify their processor registry etc. For this reason, if you want to separate two processes, you must run them under different identities. You can always use domain user accounts. But such accounts fall under password policies, regular password changes etc. So if you use the "virtual" service identities, you don't need to bother with the management while still have the security separation.

    Note that although the service identities are separated locally, they are not distinguishable in the network. if any service is running under the NT SERVICE or IIS AppPool identity, they access network resource under their local computer account (SERVER08$) just like Network Service does.

    ondrej.

    Friday, April 26, 2013 7:20 AM
  • In addition to Ondrej Sevecek: Virtual accounts have a SID on the local machine, which means that they can be assigned local permissions such as file system rights. This is used for example with IIS 7 web sites which by default run under separate virtual accounts. You can then assign permissions in the file system to prevent different web applications from accessing each others data.

    There are two hard things in computer science: cache invalidation, naming things, and off-by-one errors

    Friday, April 26, 2013 7:34 AM