B.2.1 Disadvantages Of Running A Service In The Context Of A User Logon - Novell SENTINEL 6.1 SP2 - REFERENCE GUIDE 02-2010 Reference Manual

Logon Account
Local Service Account
Network Service Account
B.2.1 Disadvantages of running a service in the context of a
user logon
1 The account must be created before the service can run. If the setup program for the service
creates the account, Setup must run from an account that has sufficient administrative
credentials to create accounts in the directory service.
2 Service account names and passwords are stored on each computer on which the service is
installed. If the password for a service account on a computer is changed or expires, the service
cannot start on that computer until the password is set to the new password for that service. The
recommendation is to use LocalService and Network Service instead of using an account that
requires a password: this simplifies password management.
3 If a service account is renamed, locked out, disabled, or deleted, the service cannot start on that
computer until the account is reset.
Because of the above disadvantages, Novell has tested out running Sentinel service under NT
AUTHORITY\NetworkService account. NT AUTHORITY\LocalService account does not have
enough privilege for this purpose, because DAS processes need to communicate to database server
on the network.
NOTE: Novell has tested and recommends choosing Network Service account option.
194 Sentinel 6.1 Reference Guide
Description
The Local Service account is a special built-in account that is similar to an
authenticated user account. The Local Service account has the same level
of access to resources and objects as members of the Users group. This
limited access helps safeguard your system if individual services or
processes are compromised. Services that run as the Local Service
account access network resources as a null session with no credentials.
Local Service account is a predefined local account that is used to start a
service and provide the security context for that service. The name of the
account is NT AUTHORITY\LocalService. The Local Service account has
limited access to the local computer and Anonymous access to network
resources.
The Network Service account is a special, built-in account that is similar to
an authenticated user account. The Network Service account has the
same level of access to resources and objects as members of the Users
group. This limited access helps safeguard your system if individual
services or processes are compromised. Services that run as the Network
Service account access network resources using the credentials of the
computer account.
Network Service account is a predefined local account that is used to start
a service and provide the security context for that service. The name of the
account is NT AUTHORITY\NetworkService. The Network Service account
has limited access to the local computer and authenticated access (as the
computer account) to network resources.