Monday, May 28, 2018

sql server - Windows LocalSystem vs. System



https://stackoverflow.com/questions/510170/the-difference-between-the-local-system-account-and-the-network-service-accou tells:




Local System : Completely trusted
account, moreso than the administrator
account. There is nothing on a single
box that this account can not do and
it has the right to access the network

as the machine (this requires Active
Directory and granting the machine
account permissions to something)"




http://msdn.microsoft.com/en-us/library/aa274606(SQL.80).aspx (Preparing to install SQL Server 2000(64 bit) - Creating Windows Service Accounts) tells:




"The local system account does not
require a password, does not have

network access rights, and restricts
your SQL Server installation from
interacting with other servers.
"




http://msdn.microsoft.com/en-us/library/ms684190(v=VS.85).aspx (LocalSystem Account, Build date: 8/5/2010) tells:




"The LocalSystem account is a
predefined local account used by the

service control manager. This account
is not recognized by the security
subsystem
, so you cannot specify its
name in a call to the
LookupAccountName function. It has
extensive privileges on the local
computer, and acts as the computer on
the network. Its token includes the NT
AUTHORITY\SYSTEM and
BUILTIN\Administrators SIDs
; these

accounts have access to most system
objects. The name of the account in
all locales is .\LocalSystem
. The
name, LocalSystem or
ComputerName\LocalSystem
can also be
used. This account does not have a
password. If you specify the
LocalSystem account in a call to the
CreateService function, any password
information you provide is ignored"





http://technet.microsoft.com/en-us/library/ms143504.aspx
(Setting Up Windows Service Accounts) tells:




Local System is a very high-privileged
built-in account. It has extensive
privileges on the local system and
acts as the computer on the network.

> The actual name of the account is "NT
AUTHORITY\SYSTEM".




Well-known security identifiers in Windows operating systems
( http://support.microsoft.com/kb/243330 )
does not have any SYSTEM at all (but only "LOCAL SYSTEM")







My Windows XP Pro SP3 (with MS SQL Server setup, developing machine in workgroup) does have SYSTEM but not LocalSystem or "Local System".



QUESTIONS:



Can somebody clear out this mess?



It is possible to burn hours after hours, day after day reading MS docs just to collect more and more contradictions and misunderstandings...



1)
Has LocalSystem rights to access the network or not?

What is the mechanism?



2)
Are the SYSTEM and the LocalSystem (and the "Local System") synonyms?



Why they have been introduced?



What are the differences between SYSTEM and Local System



----------




Update1:



Hi, sysamin1138!



Your answers add even more confusion if to compare them to observed reality,
for ex., to the fact that Fresh installed or workgroup Windows XP Pro SP3 has only SYSTEM (but not LocalSystem).



Sysadmin138 wrote:





  • "Different security principles for similar problems, which allow a bit of granularity in your security design. One is local only, the other has domain visibility."



Does this phrase mean that LocalSystem is added upon joining computer to domain?



Should it be understood that SYSTEM is for "local"/internal and workgroup access (computer identification) and LocalSystem for identification of computer in domain?



----------




Update2: same workgroup Windows XP Pro SP3 if not specified otherwise



Hi, Sysadmin1138,
In your Edit




"It's just that in that case SYSTEM
and NT Authority/SYSTEM are equivalent
in ability",





how are they (NT Authority/SYSTEM and SYSTEM) related to LocalSystem? Did not you err one of them with LocalSystem?



Greg Askew,




"Note that if you configure a service
to logon as .\LocalSystem, it will
still appear as logged on as NT
AUTHORITY\SYSTEM in Process Explorer

or System in Task Manager"




This is a little be closer. I cannot choose LocalSystem in either NTFS/share premissions, RunAs list.
But in services.msc the service "SQL Server (MS SQL SERVER)" --> double-click or rc --> Properties ---> tab "Logo on as:" has radiobuttom "Local System account". This service then appears in Windows Task Manager as SYSTEM



Greg Askew and sysadmin1138,



"NT AUTHORITY" or any "xxx\"
does not appear anywhere. All account names are single-labeled. Note it is Windows XP workgroup computer. Though I run an instance of ADAM (Active Directory Application Mode).




I guess "NT AUTHORITY" is from that famous "security subsystem" which is absent in workgroup(?) Would "NT Authority" appear if I join computer to a domain?



NTFS/share permission list has 2 columns:




  • "Name(RDN)" colum having single-label account names

  • "In Folder" column having either MyCompName (eg, for Administrator, Administrators, ASPNET, SQLServerReportServerUser$MyCompName$MSRS10_50.MSSQLSERVER, etc.) or blank (e.g., for ANONYMOUS LOGON, Authenticated Users, CREaTOR GROUP, CREAtOR OWNER, NETWORKING SERVICES,SYSTEM, etc.).




The former ones have also synonyms for coding as "MyCompName\xxxx" or ".\xxx" (i.e.




  • SQLServerReportServerUser$MyCompName$MSRS10_50.MSSQLSERVER =

  • = MyCompName\SQLServerReportServerUser$MyCompName$MSRS10_50.MSSQLSERVER

  • = .\SQLServerReportServerUser$MyCompName$MSRS10_50.MSSQLSERVER)



Can you synchronize your answers in context of http://blogs.msdn.com/aaron_margosis/archive/2009/11/05/machine-sids-and-domain-sids.aspx (Machine SIDs and Domain SIDs)?




----------



Update3: same workgroup Windows XP Pro SP3 if not specified otherwise



Hi, Sysadmin1138,



And how to see edit-history? and dereference SID?



Breakthrough! cacls shows "NT Authority\SYSTEM"...




Though for services it is all vice versa: all services show under "Log On" tab




  • the radiobutton "Local System account" which results in SYSTEM in WIndowsTaskManager and

  • the "This account" radiobutton --> btn "Browse..." that doesn't show the SYSTEM account in the list



Sorry for your time, but I couldn't get yet to any LocalSystem in Windows XP! LocalSystem does not show up anywhere in XP! but the problem that all MS docs dwell only on LocalSystem...



BTW, http://support.microsoft.com/kb/120929 ("How the System account is used in Windows") tells that SYSTEM is for internal to computer logging of services, and surprise-surprise "APPLIES TO" all Windows from NT Workstation 3.1 to Windows Server 2003 except Windows XP(?!).




Is Windows XP some anomaly in Windows line?



----------



Update4: same workgroup Windows XP Pro SP3 if not specified otherwise



I couldn't detect any LocalSystem (only "local system" mentioned in text to radiobutton of services LogOn)in Windows XP though all MS docs usually dwell on LocalSystem only but not SYSTEM. I marked this question as answered having understood for me that Windows XP is anomaly/exception in Windows OS-es having some GUI usability bug and I should guess how a scenario would have appeared in other Windows (with the help of answer(s) here)



If it is not correct, please be free to prove/share another point of view







Update5: same workgroup Windows XP Pro SP3 if not specified otherwise



Venceremos!



I found "Local System" in Windows XP! It is shown in "Log On As" column in services.msc!


Answer



[wiped large answer, summarizing for clarity. See edit-history for sordid tale.]




There is a single well-known SID for the local system. It is S-1-5-18, as you found from that KB article. This SID returns multiple names when asked to be dereferenced. The 'cacls' command-line command (XP) shows this as "NT Authority\SYSTEM". The 'icacls' command-line command (Vista/Win7) also shows this as "NT Authority\SYSTEM". The GUI tools in Windows Explorer show this as "SYSTEM". When you're configuring a Service to run, this is shown as "Local System".



Three names, one SID.



In Workgroups, the SID only has a meaning on the local workstation. When accessing another workstation, the SID is not transferred just the name. The 'Local System' can not access any other systems.



In Domains, the Relative ID is what allows the Machine Account access to resources not local to that one machine. This is the ID stored in Active Directory, and is used as a security principle by all domain-connected machines. This ID is not S-1-5-18. It is in the form of S-1-5-21[domainSID]-[random].



Configuring a service as "Local Service" tells the service to log on locally to the workstation as S-1-5-18. It will not have any Domain credentials of any kind.




Configuring a service as "Network Service" or "NT Authority\NetworkService" tells the service to log on to the domain as that machine's domain account, and will have access to Domain resources. The Windows XP Service Configurator does not have the ability to select "Network Service" as a login type. The SQL Setup program might.



"Network Service" can do everything "Local System" can, as well as access Domain resources.



"Network Service" has no meaning in a Workgroup context.



In short:



NT Authority\System = Local System = SYSTEM = S-1-5-18




If you need your service to access resources not located on that machine, you need to either:




  • Configure it as a Service using a dedicated login user

  • Configure it as a Service using "Network Service" and belong to a domain


No comments:

Post a Comment

linux - How to SSH to ec2 instance in VPC private subnet via NAT server

I have created a VPC in aws with a public subnet and a private subnet. The private subnet does not have direct access to external network. S...