Service Logon Accounts

A service, like any process, has a primary security identity that determines the access rights and privileges that the service has to local and network resources. This security identity (or security context) also determines the potential the service has for doing damage to resources on the local computer and the network.

The security context for a Microsoft® Win32® service is determined by the logon account used to start the service. This chapter covers programming issues and best practices relating to the service logon account used by Win32 services, with a focus on directory-enabled services. This chapter includes the following topics:

• An overview of service logon accounts and security context programming issues for a Win32 service.
• Guidelines for selecting a logon account for a Win32 service.
• Setting up a service's user account
• Installing a service on a host computer and specifying the service's logon account.
• Granting the service's user account the logon as a service right on the host computer. .
• Detecting at installation time whether the service instance is being installed on a domain controller.
• Setting and maintaining ACEs and group memberships to ensure that the system will grant the running service access to the necessary local and network resources.
• Changing the password on a service's user account, and at the same time updating the password registered with the service control manager on each host server on which the service is installed.
• Maintaining service principal name (SPN) registration on the directory object associated with the logon account of each instance of your service. SPNs enable clients to authenticate a service using Kerberos mutual authentication. For more information, see Mutual Authentication Using Kerberos.
• Converting domain account name formats, for example, converting a distinguished name to domain\username format, and vice versa.