Re: Windows Service - Event Log

Just one comment:

None of the services run as Administrator, a great deal run as SYSTEM (on

I didn't say the Administrator account. I said "a member of the
Administrators group on the local machine."

That said, I didn't advocate using a member of the Administrator's group; it
was just information.

As to whether or not a Service should run as the Local System account,
that's a matter of what the Service does (requirements). Whether it should
be run as Local System just to create an Event Log, that isn't necessary, as
the installation could set up the Event Log. Of course, the person running
the installation would have to be a member of the Administrator's group to
do this.

--
HTH,

Kevin Spencer
Microsoft MVP
Professional Chicken Salad Alchemist

Big thicks are made up of lots of little thins.


"Willy Denoyette [MVP]" <willy.denoyette@xxxxxxxxxx> wrote in message
news:OcZ9X66mGHA.1272@xxxxxxxxxxxxxxxxxxxxxxx

"Kevin Spencer" <uce@xxxxxxx> wrote in message
news:%23rTGi02mGHA.192@xxxxxxxxxxxxxxxxxxxxxxx
| >> Who's talking about writing to the eventlog? Tim and I are talking
about
| >> writing to the registry ( HKLM ).
|
| You (Tim and you, as you prefer to put it, although I could almost swear
| that I am too)


No, I was only talking about writing to the Registry (more exactly to
HKLM)
again re-read my response to Tim.
You (and Tim as I found out later) are talking about writing to the
Registry
for the purpose of creating a log entry.

| Yes, this is done via the System registry, but the registry does not
have
a
| single set of permissions for all registry keys. It has highly granular
| permissions. If writing a .Net application, you are not likely to be
writing
| directly to the registry in order to do this, but more likely to be
using
| the EventLog classes.
|

That's what I tried to explain to Tim - user applications and user
services
for that matter, better stay away from the registry security settings
especially from HKLM, right?

| To create an Event Log, the user account must be a member of the
| Administrators group on the local machine, or the local System account.

That's right, but that doesn't mean it's the task of the service to create
the log, you don't want your service to run as localsystem (or worse as
administrator), just for the purpose of a one time creation of a log entry
(source) do you? This is the task of a separate administrative tool, a
simple five lines C# application or a simple vbscript, that should be run
as
part of the service deployement.

The
| permissions can be changed as well, but that is not likely to be helpful
| (as, when the application moves to a different machine, the permissions
must
| be changed on any machine it is moved to). So, what I said still stands:
If
| you want your service to create an Event Log, it must run as a user
account
| that is either the Local System or a member of the Administrators group.
If
| you have a look at your Service Manager, you will see that many Services
run
| under these types of accounts, and for a variety of reasons.
|

None of the services run as Administrator, a great deal run as SYSTEM (on
anything except Vista and LH server) but this will soon be history, MSFT
has
learned a lesson. A number of servives still run as localsystem, just
because they can't/won't change that to a less privileged user without
changing other depending processes as well, those that could be changed
easely are now running as Local Service or Network Service.
The major reason (bute there are others) for this is a design flaw in the
"LogonUser" API which requires TCB privileges on anything below XP and
W2K3.
TCB privileges are only granted to 'localsystem' on NT4 and W2K, that
means
that Services that need to impersonate must run as SYSTEM on these
downlevel
OS'ses. Again these services are the number one security attack targets,
and
it's not because MSFT made a mistake that you should follow their example
right?

Willy.









.

Relevant Pages

  • Re: Remote desktop: cannot copy files why still not working
    ... I created a new user on the XP box, set as an administrator ... this new user account is local to the XP system, ... In my environment, when I do an RDP connection to a server, I first log ... member of the local administrators group on the server. ...
    (microsoft.public.windows.server.security)
  • Re: Remote desktop: cannot copy files why still not working
    ... this new user account is local to the XP system, and a member of the local administrator's group on that workstation. ... In my environment, when I do an RDP connection to a server, I first log on to the xp workstation using my regular, non-privileged domain account, run mstsc, and then logon to the server using a domain account that is a member of the local administrators group on the server. ... In addition, I frequently use runas to run privileged applications on the workstation using my "administrator" account, and have found that files cannot be copied between those applications and anything running under the credentials of my regular account - even though my administrator account actually does have full access to everything on the workstation - just not through my regular account's view of that workstation. ...
    (microsoft.public.windows.server.security)
  • Re: Login as local admin
    ... So if i basically ensure that my domain administrator account is a member of ... the schema admins, and enterprise admins, and login using these credentials, ... The article does not reference "local" administrator (as far as I ... If you choose to use an account other than the built-in administrator ...
    (microsoft.public.windows.server.sbs)
  • Re: Setting a password on an AD account...
    ... I assume it's running in a restricted account right? ... You don't use SSL to bind, and as this runs from a server which is not a domain member (a ... this one fails when the current user is not an administrator on the DC. ...
    (microsoft.public.dotnet.languages.csharp)
  • Re: Built In Admin account vs Created one
    ... The built in administrator account is a member ... of the local administrators group and that is where it gets its power. ...
    (microsoft.public.win2000.security)