Services permissions

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

Services permissions

There are two types of permissions that apply to services: service account permissions and service permissions. Service account permissions refer to the user rights and credentials that are granted to the service through the logon account. Service permissions refer to the permissions that are required to configure a service.

Service account permissions

A service must log on to an account to access resources and objects on the operating system. Most services are not designed to have their default logon account changed. Changing the default account will probably cause the service to fail.

If you select an account that does not have permission to log on as a service, the Services snap-in automatically grants that account the user rights that are required to log on as a service on the computer that you are managing. However, this does not guarantee that the service will start.

It is recommended that the user accounts that are used to log on as a service have the Password never expires check box selected in their properties dialog box and that they have strong passwords. For more information, see Strong passwords.

If account lockout policy is enabled and the account is locked out, the service will malfunction. For more information, see Account Lockout Policy.

The following table describes the service logon accounts and how they are used.

Logon account Description

Local System account

The Local System account is a powerful account that has full access to the system, including the directory service on domain controllers. If a service logs on to the Local System account on a domain controller, that service has access to the entire domain. Some services are configured by default to log on to the Local System account. Do not change the default service setting.

Local Service account

The Local Service account is a special, built-in account that is similar to an authenticated user account. The Local Service account has the same level of access to resources and objects as members of the Users group. This limited access helps safeguard your system if individual services or processes are compromised. Services that run as the Local Service account access network resources as a null session with no credentials.

Network Service account

The Network Service account is a special, built-in account that is similar to an authenticated user account. The Network Service account has the same level of access to resources and objects as members of the Users group. This limited access helps safeguard your system if individual services or processes are compromised. Services that run as the Network Service account access network resources using the credentials of the computer account.

Caution

  • Changing the default service settings may prevent key services from running correctly. It is especially important to use caution when changing the Startup type and Log on as settings of services that are configured to start automatically.

  • In most cases, it is recommended that you not change the Allow service to interact with desktop setting. If you allow the service to interact with the desktop, any information that the service displays on the desktop will also be displayed on an interactive user's desktop. A malicious user could then take control of the service or attack it from the interactive desktop.

Service permissions

Each service has special permissions that you can grant or deny for each user or group. You can set permissions for individual services by using Security Templates or the sc command. For more information, see Security Templates and SC.

The following table lists the individual service permissions that you can apply.

Permission Allows you to

Full Control

Perform all functions. This permission automatically grants all service permissions to the user.

Query Template

Determine the configuration parameters that are associated with a service object.

Change Template

Change the configuration of a service. This permission is required so that the user can change the startup type.

Query Status

Access information about the status of the service.

Enumerate Dependents

Determine all the other services that depend on the specified service.

Start

Start a service.

Stop

Stop a service.

Pause and Continue

Pause and continue the service.

Interrogate

Report the current status information for the service.

User-Defined Control

Send a user-defined control request--or a request that is specific to the service--to the service.

Delete

Delete a service.

Read Permissions

Read the security permissions that are assigned to the service.

Change Permissions

Change the security permissions that are assigned to the service.

Take Ownership

Change a security key or change permissions on a service that is not owned by the user.

Important

  • To improve performance and security in the Windows Server 2003 family, several services have been disabled by default that were previously enabled on Windows 2000. For a table that lists the default settings and provides information about how to enable these services, see Default settings for services. Note that these settings apply only to new installations, not upgrades; all previous service configurations are preserved during upgrades to the Windows Server 2003 family.