Re: [WiX-users] service fail to install due to networkService account

Thu, 22 May 2008 23:12:18 -0700 

That was my understanding as well (i.e. localservice is the best, but 
often useless because it's not powerful enough, networkservice is better 
but still secure, localsystem is like leaving the front door of fort knox 
unlocked).

It's true that an account that is completely customized to the rights 
needed by your service is best, but it's easy to fall into the 'biztalk' 
trap and end up with 20 accounts with different configurations that you 
now have to manage passwords and such for (a royal pain), not to mention 
the debugging time you spend each time the password expires and the 
machines haven't rebooted yet (tons of stuff starts working 'halfway' like 
new file system requests don't work, but things for which the current 
impersonation token are legal continue to work until the service is 
restarted...).

I can't tell you how many times I was chasing down a 'bug' that turned out 
to be a simple matter of the password expiring on a service account.  Very 
weird things happen - they're almost impossible to identify as 
authentication issues unless you really know what to look for.

Kelly




Rob Mensching <[EMAIL PROTECTED]> 

Sent by: [EMAIL PROTECTED]
05/22/2008 10:05 PM

To
Richard <[EMAIL PROTECTED]>, WiX Users 
<wix-users@lists.sourceforge.net>
cc

Subject
Re: [WiX-users] service fail to install due to  networkService  account






Hmm, I've heard network service is a very reasonable thing to install as. 
It has few permissions on the local machine but it can act as the machine 
on the network.  Our datacenter ops guys love network service because it 
doesn't require the password to be updated routinely the way an account 
requires.

LocalSystem on the other hand is the basically the same thing as 
Administrator and opens a really scary attack surface.

LocalService can't do much of anything interesting but is the safest 
(because it can't do much of anything).  <smile/>

-----Original Message-----
From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Richard
Sent: Thursday, May 22, 2008 21:36
To: WiX Users
Subject: Re: [WiX-users] service fail to install due to networkService 
account


In article <[EMAIL PROTECTED]>,
    zhisheng huang <[EMAIL PROTECTED]>  writes:

> Solved. The network service account needs to be specified with its 
domain.

Its generally bad practice to install services running as either local
system or network service.

The best practice is to create an account with only the permissions
that your service needs and install the service to run as this
account.

Most of the time, local system and network service have many more
privileges and permissions than your service needs.  Using your own
account allows you to control the permissions and privileges used by
your service explicitly instead of getting whatever implicit
privileges and permissions are associated with an existing account.
--
"The Direct3D Graphics Pipeline" -- DirectX 9 draft available for download
      <http://www.xmission.com/~legalize/book/download/index.html>

        Legalize Adulthood! <http://blogs.xmission.com/legalize/>

-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2008.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
_______________________________________________
WiX-users mailing list
WiX-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/wix-users

-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2008.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
_______________________________________________
WiX-users mailing list
WiX-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/wix-users




**************************************************************************************
This communication is intended solely for the addressee and is
confidential. If you are not the intended recipient, any disclosure, 
copying, distribution or any action taken or omitted to be taken in
reliance on it, is prohibited and may be unlawful. Unless indicated
to the contrary: it does not constitute professional advice or opinions
upon which reliance may be made by the addressee or any other party,
and it should be considered to be a work in progress. Unless otherwise
noted in this email or its attachments, this communication does not form 
a Statement of Actuarial Opinion under American Academy of Actuaries guidelines.
**************************************************************************************
-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2008.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
_______________________________________________
WiX-users mailing list
WiX-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/wix-users

Reply via email to