Care must be taken when granting elevated privileges to users’ accounts and programs in Windows systems, as such permissions can be leveraged by malicious users or programs!
For instance, assigning a user with data backup privileges or the ability to change the system time will bypass many access checks. With these privileges a user is capable of reading all files and traverse through all directories. A program may change the system time in order to cause Kerberos authentication to fail. In Windows 7 like previous and later systems some privileges are considered as very critical to the security of systems and it is recommended to take the necessary measures to disallow unnecessary accounts or programs to gain such privileges.
Older versions of Windows Operating Systems (prior to Windows XP and Windows Server 2003) used the Local System account (NT AUTHORITY\LocalSystem) to start Windows services. A Windows service is an application type that runs in the system background without a user interface and is similar to a UNIX daemon process. Some services provide core operating system features, such as event logging, file serving, printing, etc. and need to run under the Local System context, however, there are other services which do not require this elevated context.
Sometimes you may need to run a command, especially when you are troubleshooting a problem that requires the System context to execute and return results. The Local System context, which is normally a protected layer for the operating system to execute services, can be accessed using a privileged service account called NT AUTHORITY\SYSTEM or LocalSystem. If a service running in the Local System context is compromised then your system is at risk!
Don’t discard the security benefits of User Account Control (UAC). UAC is a Windows 7 in-built tool that protects your system but more important, UAC is a security feature that informs you when an action requires elevation of privileges. For more details about UAC go here and here.
UAC is a security feature of Windows 7 that informs you when the action that you want to take to undertake requires an elevation of privileges. It is a common practice, actually a bad practice to log in with a user account that has administrator privileges. For instance, a user account that is a member of the local administrators group is used as a normal user account in the day to day operations such as, Internet browsing! Administrative user accounts are intended for tasks related to administration and running your computer in this mode for ever presents a security risk because any program run by the user in this mode runs with the rights and privileges of an administrator.