A HIGH-RISK security context for services...When it comes to safety, integrity, security and access rights and priviledges, permissions, authorization levels etc. there are many options. The LocalSystem Account by default is the predefined local account used by the service control manager, (vulnerabilities here can leave the system open to attack, taking control remotely etc.).
It is not recognized by the security sub-system, has extensive privileges on the local computer, and acts as the computer on the network, have access to most system objects. Also called ComputerName\LocalSystem and does not have a password.
Most are agreed that the majority of services and programming, do not need such a high privilege level. The risk and exposure is too high, in terms of security. So the golden rule of thumb is: if a service does not need these privileges, and it is not an interactive service, consider using the LocalService account or the NetworkService account.
This is the name indicating unprecedented, most-free (unrestricted), service account, running and operating, with almost unlimited privileges. (more risky/less secure, more freedoms).
Services running in and from this account, inherits the security context of the SCM. The user SID is created from the SECURITY_LOCAL_SYSTEM_RID value. It is not associated with any logged-on user account.
Implications of the LocalSystem Account:
• Registry key (HKEY_CURRENT_USER) associated with the default user, not the current user.
• To access another user's profile, impersonate the user, then access HKEY_CURRENT_USER.
• Service can open the registry key HKEY_LOCAL_MACHINE\SECURITY.
• Service presents the computer's credentials to remote servers.
• If the service opens a command window and runs a batch file, the user could hit CTRL+C to terminate the batch file and gain access to a command window with LocalSystem permissions.
The LocalSystem account has high priority and many privileges, including:
• SE_ASSIGNPRIMARYTOKEN_NAME (disabled)
• SE_AUDIT_NAME (enabled)
• SE_BACKUP_NAME (disabled)
• SE_CHANGE_NOTIFY_NAME (enabled)
• SE_CREATE_GLOBAL_NAME (enabled)
• SE_CREATE_PAGEFILE_NAME (enabled)
• SE_CREATE_PERMANENT_NAME (enabled)
• SE_CREATE_TOKEN_NAME (disabled)
• SE_DEBUG_NAME (enabled)
• SE_IMPERSONATE_NAME (enabled)
• SE_INC_BASE_PRIORITY_NAME (enabled)
• SE_INCREASE_QUOTA_NAME (disabled)
• SE_LOAD_DRIVER_NAME (disabled)
• SE_LOCK_MEMORY_NAME (enabled)
• SE_MANAGE_VOLUME_NAME (disabled)
• SE_PROF_SINGLE_PROCESS_NAME (enabled)
• SE_RESTORE_NAME (disabled)
• SE_SECURITY_NAME (disabled)
• SE_SHUTDOWN_NAME (disabled)
• SE_SYSTEM_ENVIRONMENT_NAME (disabled)
• SE_SYSTEMTIME_NAME (disabled)
• SE_TAKE_OWNERSHIP_NAME (disabled)
• SE_TCB_NAME (enabled)
• SE_UNDOCK_NAME (disabled)
Key Exam Points
- Use LocalSystem for VB, C#, .NET Framework Environments, tasks and processes
- Review chapters on Applications, Domains and Services, Creating Windows Services,
- For the exam, study all the practical, illustrative, hands-on exercises and real-life examples for services, Localsystem, security protocols, risks, that help you to gain a better understanding of this topic
- Take the practice test
Application Domain, Defense-In-Depth, Service.
This article is based on the 2nd edition of the Microsoft .Net Framework Application Training Kit with the purpose to help 70-536 Exam takers to succeed. I constantly look for ways to improve the content. Please leave a comment about this article or drop me a message if you would like to see changes for this site.