|
security
newsgroups
|
|||||||||||||||||||||||
|
|||||||||||||||||||||||
local admin security questionCan anyone suggest whether to use Local Admin service as a Windows service
account for our .NET ADO applicaiton or create a user with Admin privledges to use for this account? Is one better than the other? Thanks, Jeff If you are concerned about security, then it is probably best to avoid using
an account that has admin privileges at all. Does your app absolutely require that? The question of local account vs. domain account depends on whether the service needs to access domain resources on the network. If you really need admin privileges and only need a local machine account, then creating a different user is probably a good idea because then you can change the regular administrator password easily without breaking your service. Joe K. Show quoteHide quote "Jeff Pigott" <jpig***@karmak.com> wrote in message news:um%23sOYiOFHA.3512@TK2MSFTNGP15.phx.gbl... > Can anyone suggest whether to use Local Admin service as a Windows service > account for our .NET ADO applicaiton or create a user with Admin > privledges to use for this account? > > Is one better than the other? > > Thanks, > > Jeff > Our app doesn't require it, we are just having problems with Systems that do
not use English on the initial install during the Windows 2003 Server install. They install it as Spansh, and our Windows Service need to use a regional setting of English. So we found out we need to use a user account vs. a "local admin" account. Are there any whitepapers on locking a user account down just to a Windows Service? --------- Show quoteHide quote "Joe Kaplan (MVP - ADSI)" <joseph.e.kap***@removethis.accenture.com> wrote in message news:%23$FySuiOFHA.580@TK2MSFTNGP15.phx.gbl... > If you are concerned about security, then it is probably best to avoid > using an account that has admin privileges at all. Does your app > absolutely require that? > > The question of local account vs. domain account depends on whether the > service needs to access domain resources on the network. > > If you really need admin privileges and only need a local machine account, > then creating a different user is probably a good idea because then you > can change the regular administrator password easily without breaking your > service. > > Joe K. > > "Jeff Pigott" <jpig***@karmak.com> wrote in message > news:um%23sOYiOFHA.3512@TK2MSFTNGP15.phx.gbl... >> Can anyone suggest whether to use Local Admin service as a Windows >> service account for our .NET ADO applicaiton or create a user with Admin >> privledges to use for this account? >> >> Is one better than the other? >> >> Thanks, >> >> Jeff >> > > If you are deploying to 2003, why not try using the NETWORK SERVICE account?
It is essentially a local user in terms of permissions, but uses the computer's account for network credentials. If you don't need network credentials, you can use LOCAL SERVICE. If there is an internationalization issue related to the names of these accounts, it seems like using the SIDs to reference them would be the way to go. However, I know very little about MSI or internationalization, so I can't help too much with any details there. Joe K. Show quoteHide quote "Jeff Pigott" <jpig***@karmak.com> wrote in message news:OPtgoziOFHA.2348@tk2msftngp13.phx.gbl... > Our app doesn't require it, we are just having problems with Systems that > do not use English on the initial install during the Windows 2003 Server > install. They install it as Spansh, and our Windows Service need to use a > regional setting of English. So we found out we need to use a user account > vs. a "local admin" account. Are there any whitepapers on locking a user > account down just to a Windows Service? > --------- > "Joe Kaplan (MVP - ADSI)" <joseph.e.kap***@removethis.accenture.com> wrote > in message news:%23$FySuiOFHA.580@TK2MSFTNGP15.phx.gbl... >> If you are concerned about security, then it is probably best to avoid >> using an account that has admin privileges at all. Does your app >> absolutely require that? >> >> The question of local account vs. domain account depends on whether the >> service needs to access domain resources on the network. >> >> If you really need admin privileges and only need a local machine >> account, then creating a different user is probably a good idea because >> then you can change the regular administrator password easily without >> breaking your service. >> >> Joe K. >> >> "Jeff Pigott" <jpig***@karmak.com> wrote in message >> news:um%23sOYiOFHA.3512@TK2MSFTNGP15.phx.gbl... >>> Can anyone suggest whether to use Local Admin service as a Windows >>> service account for our .NET ADO applicaiton or create a user with Admin >>> privledges to use for this account? >>> >>> Is one better than the other? >>> >>> Thanks, >>> >>> Jeff >>> >> >> > > We are using the service mainly for .NET remoting clients to connect to,
without using any Windows authentication. Is there a way to set a Region Language to the Network Service, or will it also use the same as the Local System Account. Thanks for your input. Jeff Show quoteHide quote "Joe Kaplan (MVP - ADSI)" <joseph.e.kap***@removethis.accenture.com> wrote in message news:Oml$8LkOFHA.1564@TK2MSFTNGP14.phx.gbl... > If you are deploying to 2003, why not try using the NETWORK SERVICE > account? It is essentially a local user in terms of permissions, but uses > the computer's account for network credentials. If you don't need network > credentials, you can use LOCAL SERVICE. > > If there is an internationalization issue related to the names of these > accounts, it seems like using the SIDs to reference them would be the way > to go. However, I know very little about MSI or internationalization, so > I can't help too much with any details there. > > Joe K. > > "Jeff Pigott" <jpig***@karmak.com> wrote in message > news:OPtgoziOFHA.2348@tk2msftngp13.phx.gbl... >> Our app doesn't require it, we are just having problems with Systems that >> do not use English on the initial install during the Windows 2003 Server >> install. They install it as Spansh, and our Windows Service need to use a >> regional setting of English. So we found out we need to use a user >> account vs. a "local admin" account. Are there any whitepapers on >> locking a user account down just to a Windows Service? >> --------- >> "Joe Kaplan (MVP - ADSI)" <joseph.e.kap***@removethis.accenture.com> >> wrote in message news:%23$FySuiOFHA.580@TK2MSFTNGP15.phx.gbl... >>> If you are concerned about security, then it is probably best to avoid >>> using an account that has admin privileges at all. Does your app >>> absolutely require that? >>> >>> The question of local account vs. domain account depends on whether the >>> service needs to access domain resources on the network. >>> >>> If you really need admin privileges and only need a local machine >>> account, then creating a different user is probably a good idea because >>> then you can change the regular administrator password easily without >>> breaking your service. >>> >>> Joe K. >>> >>> "Jeff Pigott" <jpig***@karmak.com> wrote in message >>> news:um%23sOYiOFHA.3512@TK2MSFTNGP15.phx.gbl... >>>> Can anyone suggest whether to use Local Admin service as a Windows >>>> service account for our .NET ADO applicaiton or create a user with >>>> Admin privledges to use for this account? >>>> >>>> Is one better than the other? >>>> >>>> Thanks, >>>> >>>> Jeff >>>> >>> >>> >> >> > > Are you using the ServiceProcessInstaller to deploy the service? If so, you
should be able to use ServiceAccount.NetworkService or ServiceAccount.LocalService to deploy on any language version. Otherwise, I'm not sure what you are talking about. :) Joe K. Show quoteHide quote "Jeff Pigott" <jpig***@karmak.com> wrote in message news:uIkF77kOFHA.3928@TK2MSFTNGP09.phx.gbl... > We are using the service mainly for .NET remoting clients to connect to, > without using any Windows authentication. Is there a way to set a Region > Language to the Network Service, or will it also use the same as the Local > System Account. > Thanks for your input. > > Jeff > > > "Joe Kaplan (MVP - ADSI)" <joseph.e.kap***@removethis.accenture.com> wrote > in message news:Oml$8LkOFHA.1564@TK2MSFTNGP14.phx.gbl... >> If you are deploying to 2003, why not try using the NETWORK SERVICE >> account? It is essentially a local user in terms of permissions, but uses >> the computer's account for network credentials. If you don't need >> network credentials, you can use LOCAL SERVICE. >> >> If there is an internationalization issue related to the names of these >> accounts, it seems like using the SIDs to reference them would be the way >> to go. However, I know very little about MSI or internationalization, so >> I can't help too much with any details there. >> >> Joe K. >> >> "Jeff Pigott" <jpig***@karmak.com> wrote in message >> news:OPtgoziOFHA.2348@tk2msftngp13.phx.gbl... >>> Our app doesn't require it, we are just having problems with Systems >>> that do not use English on the initial install during the Windows 2003 >>> Server install. They install it as Spansh, and our Windows Service need >>> to use a regional setting of English. So we found out we need to use a >>> user account vs. a "local admin" account. Are there any whitepapers on >>> locking a user account down just to a Windows Service? >>> --------- >>> "Joe Kaplan (MVP - ADSI)" <joseph.e.kap***@removethis.accenture.com> >>> wrote in message news:%23$FySuiOFHA.580@TK2MSFTNGP15.phx.gbl... >>>> If you are concerned about security, then it is probably best to avoid >>>> using an account that has admin privileges at all. Does your app >>>> absolutely require that? >>>> >>>> The question of local account vs. domain account depends on whether the >>>> service needs to access domain resources on the network. >>>> >>>> If you really need admin privileges and only need a local machine >>>> account, then creating a different user is probably a good idea because >>>> then you can change the regular administrator password easily without >>>> breaking your service. >>>> >>>> Joe K. >>>> >>>> "Jeff Pigott" <jpig***@karmak.com> wrote in message >>>> news:um%23sOYiOFHA.3512@TK2MSFTNGP15.phx.gbl... >>>>> Can anyone suggest whether to use Local Admin service as a Windows >>>>> service account for our .NET ADO applicaiton or create a user with >>>>> Admin privledges to use for this account? >>>>> >>>>> Is one better than the other? >>>>> >>>>> Thanks, >>>>> >>>>> Jeff >>>>> >>>> >>>> >>> >>> >> >> > > "Jeff Pigott" <jpig***@karmak.com> wrote in message Why? What problems are being caused by the Spanish settings (e.g.: news:OPtgoziOFHA.2348@tk2msftngp13.phx.gbl... > Our app doesn't require it, we are just having problems with Systems that > do not use English on the initial install during the Windows 2003 Server > install. They install it as Spansh, and our Windows Service need to use a > regional setting of English. exceptions, formatting anomalies, etc.)? > So we found out we need to use a user account vs. a "local admin" account. Under what account was your service previously set to run? Have you confirmed that changing the account actually resolves your problems, or is the account change an untested possible solution? Show quoteHide quote > Are there any whitepapers on locking a user account down just to a Windows > Service? > --------- > "Joe Kaplan (MVP - ADSI)" <joseph.e.kap***@removethis.accenture.com> wrote > in message news:%23$FySuiOFHA.580@TK2MSFTNGP15.phx.gbl... >> If you are concerned about security, then it is probably best to avoid >> using an account that has admin privileges at all. Does your app >> absolutely require that? >> >> The question of local account vs. domain account depends on whether the >> service needs to access domain resources on the network. >> >> If you really need admin privileges and only need a local machine >> account, then creating a different user is probably a good idea because >> then you can change the regular administrator password easily without >> breaking your service. >> >> Joe K. >> >> "Jeff Pigott" <jpig***@karmak.com> wrote in message >> news:um%23sOYiOFHA.3512@TK2MSFTNGP15.phx.gbl... >>> Can anyone suggest whether to use Local Admin service as a Windows >>> service account for our .NET ADO applicaiton or create a user with Admin >>> privledges to use for this account? >>> >>> Is one better than the other? >>> >>> Thanks, >>> >>> Jeff >>> >> >> > > It appears that our Service is looking for US standards for date formats and
currency. When the server is configured as Spanish-Mexico in Regional Settings and the service is started under LocalAdmin service, our app doesn't work, but when we found that we were able to make a user account with the US Regional settings and start the service with this account all is well. Is there a way in code to set the regional setting to US for the "service" so it wouldn't matter what Regional settings were installed on the server? That would be great? Thanks, Jeff ---- Show quoteHide quote "Nicole Calinoiu" <calinoiu REMOVETHIS AT gmail DOT com> wrote in message news:uc0ZnBqOFHA.3444@tk2msftngp13.phx.gbl... > "Jeff Pigott" <jpig***@karmak.com> wrote in message > news:OPtgoziOFHA.2348@tk2msftngp13.phx.gbl... >> Our app doesn't require it, we are just having problems with Systems that >> do not use English on the initial install during the Windows 2003 Server >> install. They install it as Spansh, and our Windows Service need to use a >> regional setting of English. > > Why? What problems are being caused by the Spanish settings (e.g.: > exceptions, formatting anomalies, etc.)? > > >> So we found out we need to use a user account vs. a "local admin" >> account. > > Under what account was your service previously set to run? Have you > confirmed that changing the account actually resolves your problems, or is > the account change an untested possible solution? > > > >> Are there any whitepapers on locking a user account down just to a >> Windows Service? >> --------- >> "Joe Kaplan (MVP - ADSI)" <joseph.e.kap***@removethis.accenture.com> >> wrote in message news:%23$FySuiOFHA.580@TK2MSFTNGP15.phx.gbl... >>> If you are concerned about security, then it is probably best to avoid >>> using an account that has admin privileges at all. Does your app >>> absolutely require that? >>> >>> The question of local account vs. domain account depends on whether the >>> service needs to access domain resources on the network. >>> >>> If you really need admin privileges and only need a local machine >>> account, then creating a different user is probably a good idea because >>> then you can change the regular administrator password easily without >>> breaking your service. >>> >>> Joe K. >>> >>> "Jeff Pigott" <jpig***@karmak.com> wrote in message >>> news:um%23sOYiOFHA.3512@TK2MSFTNGP15.phx.gbl... >>>> Can anyone suggest whether to use Local Admin service as a Windows >>>> service account for our .NET ADO applicaiton or create a user with >>>> Admin privledges to use for this account? >>>> >>>> Is one better than the other? >>>> >>>> Thanks, >>>> >>>> Jeff >>>> >>> >>> >> >> > > "Jeff Pigott" <jpig***@karmak.com> wrote in message Can you not override this using the Thread.CurrentCulture property? If not, news:OvUCuYrOFHA.3380@TK2MSFTNGP15.phx.gbl... > It appears that our Service is looking for US standards for date formats > and currency. is the code with the problem your own code or something in the service "plumbing"? Show quoteHide quote > When the server is configured as Spanish-Mexico in Regional Settings and > the service is started under LocalAdmin service, our app doesn't work, but > when we found that we were able to make a user account with the US > Regional settings and start the service with this account all is well. > > Is there a way in code to set the regional setting to US for the "service" > so it wouldn't matter what Regional settings were installed on the server? > That would be great? > > Thanks, > > Jeff > ---- > > "Nicole Calinoiu" <calinoiu REMOVETHIS AT gmail DOT com> wrote in message > news:uc0ZnBqOFHA.3444@tk2msftngp13.phx.gbl... >> "Jeff Pigott" <jpig***@karmak.com> wrote in message >> news:OPtgoziOFHA.2348@tk2msftngp13.phx.gbl... >>> Our app doesn't require it, we are just having problems with Systems >>> that do not use English on the initial install during the Windows 2003 >>> Server install. They install it as Spansh, and our Windows Service need >>> to use a regional setting of English. >> >> Why? What problems are being caused by the Spanish settings (e.g.: >> exceptions, formatting anomalies, etc.)? >> >> >>> So we found out we need to use a user account vs. a "local admin" >>> account. >> >> Under what account was your service previously set to run? Have you >> confirmed that changing the account actually resolves your problems, or >> is the account change an untested possible solution? >> >> >> >>> Are there any whitepapers on locking a user account down just to a >>> Windows Service? >>> --------- >>> "Joe Kaplan (MVP - ADSI)" <joseph.e.kap***@removethis.accenture.com> >>> wrote in message news:%23$FySuiOFHA.580@TK2MSFTNGP15.phx.gbl... >>>> If you are concerned about security, then it is probably best to avoid >>>> using an account that has admin privileges at all. Does your app >>>> absolutely require that? >>>> >>>> The question of local account vs. domain account depends on whether the >>>> service needs to access domain resources on the network. >>>> >>>> If you really need admin privileges and only need a local machine >>>> account, then creating a different user is probably a good idea because >>>> then you can change the regular administrator password easily without >>>> breaking your service. >>>> >>>> Joe K. >>>> >>>> "Jeff Pigott" <jpig***@karmak.com> wrote in message >>>> news:um%23sOYiOFHA.3512@TK2MSFTNGP15.phx.gbl... >>>>> Can anyone suggest whether to use Local Admin service as a Windows >>>>> service account for our .NET ADO applicaiton or create a user with >>>>> Admin privledges to use for this account? >>>>> >>>>> Is one better than the other? >>>>> >>>>> Thanks, >>>>> >>>>> Jeff >>>>> >>>> >>>> >>> >>> >> >> > > 
Other interesting topics
AzMan threading problems
How to run aspnet with system account web application can not access event log Difference between VS2003 / VS20005 causes CRYPTO BAD DATA excepti Cannot Run Application on Windows Server 2003 Cannot run program from network drive User's Privileges Forms authentication to enter a static website ?cannot be instantiated under a partially trusted security policy (AllowPartiallyTrustedCallersAttri Custom Authentication |
|||||||||||||||||||||||
