Service permissions
Updated: January 21, 2005
Service account permissions
If you select an account that does not have permission to log on as a service, the Services snap-in automatically grants that account the user rights that are required to log on as a service on the computer that you are managing. However, this does not guarantee that the service will start.
It is recommended that the user accounts that are used to log on as a service have the Password never expires check box selected in their properties dialog box and that they have strong passwords. For more information, see Strong passwords .
If account lockout policy is enabled and the account is locked out, the service will malfunction. For more information, see Account Lockout Policy .
The following table describes the service logon accounts and how they are used.
Logon account | Description |
Local System account | The Local System account is a powerful account that has full access to the system, including the directory service on domain controllers. If a service logs on to the Local System account on a domain controller, that service has access to the entire domain. Some services are configured by default to log on to the Local System account. Do not change the default service setting. |
Local Service account | The Local Service account is a special, built-in account that is similar to an authenticated user account. The Local Service account has the same level of access to resources and objects as members of the Users group. This limited access helps safeguard your system if individual services or processes are compromised. Services that run as the Local Service account access network resources as a null session with no credentials. |
Network Service account | The Network Service account is a special, built-in account that is similar to an authenticated user account. The Network Service account has the same level of access to resources and objects as members of the Users group. This limited access helps safeguard your system if individual services or processes are compromised. Services that run as the Network Service account access network resources using the credentials of the computer account. |
Caution
- Changing the default service settings may prevent key services from running correctly. It is especially important to use caution when changing the Startup type and Log on as settings of services that are configured to start automatically.
- In most cases, it is recommended that you not change the Allow service to interact with desktop setting. If you allow the service to interact with the desktop, any information that the service displays on the desktop will also be displayed on an interactive user's desktop. A malicious user could then take control of the service or attack it from the interactive desktop.
Service permissions
The following table lists the individual service permissions that you can apply.
Permission | Allows you to |
Full Control | Perform all functions. This permission automatically grants all service permissions to the user. |
Query Template | Determine the configuration parameters that are associated with a service object. |
Change Template | Change the configuration of a service. This permission is required so that the user can change the startup type. |
Query Status | Access information about the status of the service. |
Enumerate Dependents | Determine all the other services that depend on the specified service. |
Start | Start a service. |
Stop | Stop a service. |
Pause and Continue | Pause and continue the service. |
Interrogate | Report the current status information for the service. |
User-Defined Control | Send a user-defined control request--or a request that is specific to the service--to the service. |
Delete | Delete a service. |
Read Permissions | Read the security permissions that are assigned to the service. |
Change Permissions | Change the security permissions that are assigned to the service. |
Take Ownership | Change a security key or change permissions on a service that is not owned by the user. |
Important
- To improve performance and security in the Windows Server 2003 family, several services have been disabled by default that were previously enabled on Windows 2000. For a table that lists the default settings and provides information about how to enable these services, see Default settings for services . Note that these settings apply only to new installations, not upgrades; all previous service configurations are preserved during upgrades to the Windows Server 2003 family.