Options for selecting the Service Account

A service account is a Windows user identity that is associated with a Windows service executable for the purpose of providing a security context for that service.

Windows 7 and Windows Server 2008 R2 have two new types of service accounts called managed service accounts (MSA) and virtual accounts. Managed service accounts and virtual accounts are designed to provide crucial applications such as SQL Server with the isolation of their own accounts. These types of service accounts are also a way to ease the administrative burden in managing service account passwords. The downside about these types of service accounts is that because they are still so new, their use is not supported universally, especially by applications based on DCOM technology such as PcVue.

Managed service accounts and virtual accounts are not supported by PcVue (Sv32.exe) running as a service. Because of this, we will not include the use of managed service accounts and virtual accounts in this book.

When considering which account to use for a service there are two main choices.

  • A built-in service account
  • A local or domain user account

When choosing a Service Account to run PcVue (or any other service) the main criteria is to use an account with the least possible privileges. This is to ensure that the service is run as securely as possible.

According to Microsoft, Windows administrators should choose service accounts based upon the following hierarchy. This hierarchy is ordered from least privilege to greatest privilege:

  1. The Local Service built-in service account
  2. The Network Service built-in service account
  3. A Local or domain user account
  4. The Local System built-in service account
  5. Local Administrator account
  6. A Domain Administrator account

Options 5 and 6 represent “worst-case scenarios” in which a given service or application simply will not run with a service account containing lesser privilege and permissions. Option 4, based on the Local System account, cannot be used to run PcVue. For these reasons, only options 1 to 3 should be considered.

It is always preferable from a security perspective to run as your own service account that has precisely the permissions you need to do what a service does and nothing else. However, the cost of this approach is setting up your service account, and managing the password. It is a balancing act that each application needs to manage.

Using a Local Service account

Local Service is a limited service account that is very similar to Network Service and meant to run standard least-privileged services. However, unlike Network Service, it has no ability to access network resources that require Windows authentication. However, it can still access network resources that do not require Windows authentication such as a PLC using TCP/IP based communication. Therefore, if PcVue is not accessing anything on the network requiring authentication at the Windows level, you should seriously consider using the Local Service account.

Using a Network Service account

If PcVue requires authenticated network access, you might need to use the Network Service account or a local user account with minimal privileges.

Using a Local or Domain user account

If PcVue must interact with network services, access domain resources such as file shares or if it uses linked server connections to other computers running SQL Server for example, you might use a minimally privileged domain account. Many server-to-server activities can be performed only with a domain user account. This account should be pre-created by domain administration in your environment.

See About using a built-in Service Account and About using a User Account as a Service Account for more information related to selecting the Service Account for running PcVue as a Windows Service.