当前位置:theitroad>windows “本地系统”帐户和“网络服务”帐户的区别?

windows “本地系统”帐户和“网络服务”帐户的区别?

声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow 原文地址: http://stackoverflow.com/questions/510170/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me): StackOverFlow

提示:将鼠标放在中文语句上可以显示对应的英文。显示中英文
时间:2020-09-09 06:01:17  来源:igfitidea点击:

The difference between the 'Local System' account and the 'Network Service' account?

windowssecurity

提问by jmatthias

I have written a Windows service that spawns a separate process. This process creates a COM object. If the service runs under the 'Local System' account everything works fine, but if the service runs under the 'Network Service' account, the external process starts up but it fails to create the COM object. The error returned from the COM object creation is not a standard COM error (I think it's specific to the COM object being created).

我编写了一个 Windows 服务,它产生一个单独的进程。此过程创建一个 COM 对象。如果服务在“本地系统”帐户下运行,一切正常,但如果服务在“网络服务”帐户下运行,则外部进程启动但无法创建 COM 对象。COM 对象创建返回的错误不是标准的 COM 错误(我认为它特定于正在创建的 COM 对象)。

So, how do I determine how the two accounts, 'Local System' and 'Network Service' differ? These built-in accounts seem very mysterious and nobody seems to know much about them.

那么,如何确定“本地系统”和“网络服务”这两个帐户有何不同?这些内置帐户看起来很神秘,似乎没有人对它们了解很多。

回答by Peter Oehlert

Since there is so much confusion about functionality of standard service accounts, I'll try to give a quick run down.

由于对标准服务帐户的功能存在很多混淆,我将尝试快速介绍一下。

First the actual accounts:

首先是实际账目:

  • LocalServiceaccount(preferred)

    A limited service account that is very similar to Network Service and meant to run standard least-privileged services. However, unlike Network Service it accesses the network as an Anonymoususer.

    • Name: NT AUTHORITY\LocalService
    • the account has no password (any password information you provide is ignored)
    • HKCU represents the LocalServiceuser account
    • has minimalprivileges on the local computer
    • presents anonymouscredentials on the network
    • SID: S-1-5-19
    • has its own profile under the HKEY_USERSregistry key (HKEY_USERS\S-1-5-19)

     

  • NetworkServiceaccount

    Limited service account that is meant to run standard privileged services. This account is far more limited than Local System (or even Administrator) but still has the right to access the network as the machine (see caveat above).

    • NT AUTHORITY\NetworkService
    • the account has no password (any password information you provide is ignored)
    • HKCU represents the NetworkServiceuser account
    • has minimalprivileges on the local computer
    • presents the computer's credentials (e.g. MANGO$) to remote servers
    • SID: S-1-5-20
    • has its own profile under the HKEY_USERSregistry key (HKEY_USERS\S-1-5-20)
    • If trying to schedule a task using it, enter NETWORK SERVICEinto the Select User or Groupdialog

     

  • LocalSystemaccount(dangerous, don't use!)

    Completely trusted account, more so than the administrator account. There is nothing on a single box that this account cannot do, and it has the right to access the network as the machine (this requires Active Directory and granting the machine account permissions to something)

    • Name: .\LocalSystem(can also use LocalSystemor ComputerName\LocalSystem)
    • the account has no password (any password information you provide is ignored)
    • SID: S-1-5-18
    • does not have any profile of its own (HKCUrepresents the defaultuser)
    • has extensiveprivileges on the local computer
    • presents the computer's credentials (e.g. MANGO$) to remote servers

     

  • 本地服务帐户(首选)

    与网络服务非常相似的受限服务帐户,旨在运行标准的最低特权服务。但是,与网络服务不同的是,它以匿名用户的身份访问网络。

    • 姓名: NT AUTHORITY\LocalService
    • 该帐户没有密码(您提供的任何密码信息都将被忽略)
    • HKCU 代表LocalService用户帐户
    • 在本地计算机上具有最低权限
    • 在网络上提供匿名凭据
    • SID: S-1-5-19
    • HKEY_USERS注册表项 ( HKEY_USERS\S-1-5-19)下有自己的配置文件

     

  • 网络服务帐号

    用于运行标准特权服务的受限服务帐户。此帐户比本地系统(甚至管理员)受到的限制要多得多,但仍然有权作为机器访问网络(请参阅上面的警告)。

    • NT AUTHORITY\NetworkService
    • 该帐户没有密码(您提供的任何密码信息都将被忽略)
    • HKCU 代表NetworkService用户帐户
    • 在本地计算机上具有最低权限
    • 将计算机的凭据(例如MANGO$)呈现给远程服务器
    • SID: S-1-5-20
    • HKEY_USERS注册表项 ( HKEY_USERS\S-1-5-20)下有自己的配置文件
    • 如果尝试使用它来安排任务,请进入NETWORK SERVICE选择用户或组”对话框

     

  • LocalSystem帐户(危险,请勿使用!)

    完全受信任的帐户,比管理员帐户更受信任。一个盒子上没有这个账号做不到的事情,它有作为机器访问网络的权限(这需要Active Directory并授予机器帐户权限)

    • 名称:(.\LocalSystem也可以使用LocalSystemComputerName\LocalSystem
    • 该帐户没有密码(您提供的任何密码信息都将被忽略)
    • SID: S-1-5-18
    • 没有任何自己的配置文件(HKCU代表默认用户)
    • 在本地计算机上拥有广泛的权限
    • 将计算机的凭据(例如MANGO$)呈现给远程服务器

     

Above when talking about accessing the network, this refers solely to SPNEGO(Negotiate), NTLM and Kerberos and not to any other authentication mechanism. For example, processing running as LocalServicecan still access the internet.

上面谈到访问网络时,这仅指SPNEGO(协商)、NTLM 和 Kerberos,而不是任何其他身份验证机制。例如,运行 as 的处理LocalService仍然可以访问互联网。

The general issue with running as a standard out of the box account is that if you modify any of the default permissions you're expanding the set of things everything running as that account can do. So if you grant DBO to a database, not only can your service running as Local Service or Network Service access that database but everything else running as those accounts can too. If every developer does this the computer will have a service account that has permissions to do practically anything (more specifically the superset of all of the different additional privileges granted to that account).

作为开箱即用的标准帐户运行的一般问题是,如果您修改任何默认权限,您将扩展该帐户可以执行的所有操作。因此,如果您将 DBO 授予一个数据库,那么您不仅可以作为本地服务或网络服务运行的服务访问该数据库,还可以访问作为这些帐户运行的所有其他内容。如果每个开发人员都这样做,计算机将拥有一个有权执行几乎任何操作的服务帐户(更具体地说,是授予该帐户的所有不同附加权限的超集)。

It is always preferable from a security perspective to run as your own service account that has precisely the permissions you need to do what your service does and nothing else. However, the cost of this approach is setting up your service account, and managing the password. It's a balancing act that each application needs to manage.

从安全角度来看,作为您自己的服务帐户运行总是更可取的,该帐户具有您执行服务所需的权限,而不是其他任何内容。但是,这种方法的成本是设置您的服务帐户和管理密码。这是每个应用程序都需要管理的平衡行为。

In your specific case, the issue that you are probably seeing is that the the DCOM or COM+ activation is limited to a given set of accounts. In Windows XP SP2, Windows Server 2003, and above the Activation permission was restricted significantly. You should use the Component Services MMC snapin to examine your specific COM object and see the activation permissions. If you're not accessing anything on the network as the machine account you should seriously consider using Local Service(not Local System which is basically the operating system).

在您的特定情况下,您可能看到的问题是 DCOM 或 COM+ 激活仅限于给定的一组帐户。在 Windows XP SP2、Windows Server 2003 及更高版本中,激活权限受到显着限制。您应该使用组件服务 MMC 管理单元来检查您的特定 COM 对象并查看激活权限。如果您没有作为机器帐户访问网络上的任何内容,您应该认真考虑使用本地服务(而不是本地系统,它基本上是操作系统)。

In Windows Server 2003 you cannotrun a scheduled taskas

在 Windows Server 2003 中,不能将计划任务作为

  • NT_AUTHORITY\LocalService(aka the Local Service account), or
  • NT AUTHORITY\NetworkService(aka the Network Service account).
  • NT_AUTHORITY\LocalService(又名本地服务帐户),或
  • NT AUTHORITY\NetworkService(又名网络服务帐户)。

That capability only was added with Task Scheduler 2.0, which only exists in Windows Vista/Windows Server 2008 and newer.

该功能仅随 Task Scheduler 2.0添加,后者仅存在于 Windows Vista/Windows Server 2008 及更新版本中。

A service running as NetworkServicepresents the machine credentials on the network. This means that if your computer was called mango, it would present as the machine accountMANGO$:

运行 as 的服务NetworkService在网络上提供机器凭据。这意味着如果您的计算机被调用mango它将显示为机器帐户MANGO$

enter image description here

在此处输入图片说明

相关推荐

windows 如何判断窗口是否有焦点?(Win32 API)

windows 如何判断窗口是否有焦点?(Win32 API)

PostgreSQL 错误:无法连接到数据库模板 1:无法连接到服务器:没有这样的文件或目录

PostgreSQL 错误:无法连接到数据库模板 1:无法连接到服务器:没有这样的文件或目录

如何复制目录结构但只包含某些文件(使用 Windows 批处理文件)

如何复制目录结构但只包含某些文件(使用 Windows 批处理文件)

如何从 Docker 容器生成 Postgresql 转储?

如何从 Docker 容器生成 Postgresql 转储?

相关推荐
最近更新
标签