System Accounts Definations
I am always getting confused over the different accounts.
From http://www.microsoft.com/technet/security/guidance/serversecurity/serviceaccount/sspgch02.mspx,
System Accounts
A service must log on as an account to access resources and objects on the operating system. If you assign an account to a service that does not have appropriate permissions to log on, the Services snap-in for the Microsoft Management Console (MMC) automatically grants that account the required Log on as a Service user right on the computer being managed. Microsoft Windows Server™ 2003 includes the following three built-in local accounts used as the logon accounts for various system services:
• Local System account
The Local System account is a predefined local account that can start a service and provide the security context for that service. It is a powerful account that has full access to the computer, including the directory service when used for services running on domain controllers. The account acts as the host computer account on the network and as such has access to network resources just like any other domain account. On the network, this account appears as DOMAIN\$. If a service logs on using the Local System account on a domain controller, it has Local System access on the domain controller itself, which, if compromised, could allow malicious users to change anything in the domain they wanted. Windows Server 2003 configures some services to log on as the Local System account by default. The actual name of the account is NT AUTHORITY\System, and it does not have a password that an administrator needs to manage.
•Local Service account
The Local Service account is a special built-in account that has reduced privileges similar to an authenticated local user account. This limited access helps safeguard the computer if an attacker compromises individual services or processes. A service that runs as the Local Service account accesses network resources as a null session; that is, it uses anonymous credentials. The actual name of the account is NT AUTHORITY\LocalService, and it does not have a password that an administrator needs to manage.
•Network Service account
The Network Service account is a special built-in account that has reduced privileges similar to an authenticated user account. This limited access helps safeguard the computer if an attacker compromises individual services or processes. A service that runs as the Network Service account accesses network resources using the credentials of the computer account in the same manner as a Local System service does. The actual name of the account is NT AUTHORITY\NetworkService, and it does not have a password that an administrator needs to manage.
Important: If you change the default service settings, you might prevent key services from running correctly. It is especially important to use caution when you change the Startup type and Log on as settings for services that are set to start automatically by default.
From http://www.microsoft.com/technet/security/guidance/serversecurity/serviceaccount/sspgch02.mspx,
System Accounts
A service must log on as an account to access resources and objects on the operating system. If you assign an account to a service that does not have appropriate permissions to log on, the Services snap-in for the Microsoft Management Console (MMC) automatically grants that account the required Log on as a Service user right on the computer being managed. Microsoft Windows Server™ 2003 includes the following three built-in local accounts used as the logon accounts for various system services:
• Local System account
The Local System account is a predefined local account that can start a service and provide the security context for that service. It is a powerful account that has full access to the computer, including the directory service when used for services running on domain controllers. The account acts as the host computer account on the network and as such has access to network resources just like any other domain account. On the network, this account appears as DOMAIN\
•Local Service account
The Local Service account is a special built-in account that has reduced privileges similar to an authenticated local user account. This limited access helps safeguard the computer if an attacker compromises individual services or processes. A service that runs as the Local Service account accesses network resources as a null session; that is, it uses anonymous credentials. The actual name of the account is NT AUTHORITY\LocalService, and it does not have a password that an administrator needs to manage.
•Network Service account
The Network Service account is a special built-in account that has reduced privileges similar to an authenticated user account. This limited access helps safeguard the computer if an attacker compromises individual services or processes. A service that runs as the Network Service account accesses network resources using the credentials of the computer account in the same manner as a Local System service does. The actual name of the account is NT AUTHORITY\NetworkService, and it does not have a password that an administrator needs to manage.
Important: If you change the default service settings, you might prevent key services from running correctly. It is especially important to use caution when you change the Startup type and Log on as settings for services that are set to start automatically by default.
