Network Service security question

M

M

Hi,

If I create a web service to run on a Windows 2003 server under the
Network Service account, will it have access to other server services
elsewhere on my domain?

The scenario is that I have created a web service to query a specified
database. Different departments need the same functionality the
service supplies but need to query different databases. the solution
employed was to copy the service to their own local server and put
data access information in the associated config file. That way they
get the data they want to see and I don't have to duplicate code.

The issue that has now been raised is that as the departments are all
on the same domain and all the services are running as Network Service
then they could possibly connect to a different server and access the
resources (other services) there.

I think i've read somewhere that the Network Service account is a
local account, so does this mean that it can only access resources
locally even though it has network permissions?

Any thoughts?

<M>
 
R

Roger Abell [MVP]

"<M>" <m_dinnis@hotmail.com> wrote in message
news:025e3672-5064-489f-a0de-b29d18c6ae1a@w7g2000hsa.googlegroups.com...
> Hi,
>
> If I create a web service to run on a Windows 2003 server under the
> Network Service account, will it have access to other server services
> elsewhere on my domain?
>
> The scenario is that I have created a web service to query a specified
> database. Different departments need the same functionality the
> service supplies but need to query different databases. the solution
> employed was to copy the service to their own local server and put
> data access information in the associated config file. That way they
> get the data they want to see and I don't have to duplicate code.
>
> The issue that has now been raised is that as the departments are all
> on the same domain and all the services are running as Network Service
> then they could possibly connect to a different server and access the
> resources (other services) there.
>
> I think i've read somewhere that the Network Service account is a
> local account, so does this mean that it can only access resources
> locally even though it has network permissions?
>
> Any thoughts?
>
> <M>

The answer to your intial question is no, it will not have access,
that is, unless you go to the effort of making it so that it will.
When the Network Service goes "off box", communicates over
the network, it does so by assuming the domain credentials of the
Local System account (that is domain\machinename$).
So, if there are no grants on the remote machines to that domain
account, then it will not have any access other than what those
remote machines grant to anonymous, to everyone, to guest, to
Domain Computers, to Domain Users, or to Authenticated Users.

On your other questions, yes, Network Service is a local account.
However, it is predefined and so has the same SID on all machines.
The key point is that it uses the System account in order to make
use of network connections.
In your scenario things are really not much different from what
would be if you had defined a domain account, granted it access
to the resources your web service uses and granted it the accesses
needed to log in as the launch account of your web service where
it is installed (except that it would be a little easier to move to
integrated authentication for the database access as you would
have one account instead of one for each Network Service).

Roger
 
M

M

Roger,

Thanks fo the reply. That helps me get my head around this are a
little better. I had a sudden thought one night that I had just
introduced a security flaw into our design, but from what you're
saying so long as we don't give any of the servers (machinename)
specific rights onto the other servers then all is still well.

Regards,

<M>
 
R

Roger Abell [MVP]

"<M>" <m_dinnis@hotmail.com> wrote in message
news:840f76f1-1647-4e20-9e7b-9809c6b0f88f@z66g2000hsc.googlegroups.com...
> Roger,
>
> Thanks fo the reply. That helps me get my head around this are a
> little better. I had a sudden thought one night that I had just
> introduced a security flaw into our design, but from what you're
> saying so long as we don't give any of the servers (machinename)
> specific rights onto the other servers then all is still well.
>

Yep, pretty much, but keep in mind the domain groups the machinename$
account is member within. Feasibly the web service code could be hijacked
and then used to access anything the domain account can, which without any
specifically added grants is all pretty generic stuff accessibly by any
account
(assuming this is not installed on a domain controller - don't do that).

Roger
 
You must log in or register to reply here.

Similar threads

L
SDDL permission changes to allow non-admin service account to SQL Services
Replies
0
Views
29
Lucja Dolega
L
J
Error: The security database on the server does not have a computer account for this workstation trust relationship
Replies
0
Views
20
Justin Voo
J
L
Does the service have access to use EUDC font file when no one login into Windows Server?
Replies
0
Views
4
Lucas Lin1
L
L
Does the service have access to use EUDC font file when no one login into Windows Server?
Replies
0
Views
10
Lucas Lin1
L
L
Does the service have access to use EUDC font file when no one login into Windows Server?
Replies
0
Views
6
Lucas Lin1
L
Back
Top Bottom