Windows Services Log-On Accounts

Older versions of Windows Operating Systems (prior to Windows XP and Windows Server 2003) used the Local System account (NT AUTHORITY\LocalSystem) to start Windows services. A Windows service is an application type that runs in the system background without a user interface and is similar to a UNIX daemon process. Some services provide core operating system features, such as event logging, file serving, printing, etc. and need to run under the Local System context, however, there are other services which do not require this elevated context.

With Windows XP and Windows Server 2003 Microsoft introduced two built-in service accounts with reduced privileges so that services that do not require full administrative privileges use these credentials rather than the elevated LocalSystem account. These system accounts - NT AUTHORITY\LocalService and NT AUTHORITY\NetworkService where introduced to reduce the attack surface of systems as a compromised service running under the Local System context could give a malicious user full control of your system!

Where possible use these built-in service accounts with services running on your system or create special accounts with the absolute minimum privileges needed. If you create a new lower-privileged account, make sure that you do not include it as a member in any Administrative user groups you may have on your system.

When you set the account that the service uses to log on and start from the Services snap-in, you do not enter a password for the Local Service or Network Service accounts as the default password for these accounts is an empty string as shown below:


When creating special accounts with least privileges to run services, make sure that these accounts have the Password never expires check box selected in their Properties dialog box and that they have strong passwords.

As you can see in the above image, there is an option that allows the service to interact with the desktop when the Local System account is used. It is recommended that you do not change the Allow service to interact with desktop setting. If you allow the service to interact with the desktop, any information that the service displays on the desktop will also be displayed on an interactive user’s desktop. A malicious user could then take control of the service or attack it from the interactive desktop.