I have developed a .NET Windows Service (in VS2010) that needs to:
- Access shared folders (read/write) on machines on the local network
- Write to HKLM/SOFTWARE part of the registry
- Write files and create folders in all parts of the local file system (ex. in root of C:)
- Download files from the web (using http)
My service must do well with all Windows (PC) operating systems, starting from Windows XP SP3 and onwards.
Problem: Which service account should I choose for my service?
Normally, I would use either “LocalService” or “NetworkService”, but none of those grants all needed privileges by themselves.
Should I use the “LocalSystem” account then? Or, should I create a complete separate account for my service’s use only (this should then be done automatically during installation)?
For now I use the “NetworkService” account and just adds it to the adimistrators group during installation, which works fine. But I think this approach ruins the whole idea about limited service accounts and thus poses a security risk – don’t you agree?
You should not use
LOCALSYSTEM. This has far too much power and all best practice tells you not to use it.In my view you should be creating a local user with appropriate rights as part of your installation. This is a fairly common practice for server/database products.