Monday, January 21, 2019

windows - What does it mean to grant/set permissions for NETWORK SERVICE on a network share?



I'm confused about the NETWORK SERVICE account (group?) works on network shares:



On one hand, NETWORK SERVICE is generally described as an account that's local to a given machine. (See, e.g., here on serverfault or in Microsoft's Access Control in IIS 6.0 document.) So it's not a domain-wide account. And, for instance, if a process running under NETWORK SERVICE on SERVERA tries to request a resource on SERVERB, the authentication won't be under some hypothetical MYDOMAIN\NETWORK SERVICE, but rather under MYDOMAIN\SERVERA$. (The latter is known as SERVERA's "computer account".)



On the other hand, I've noticed I can go to a remote file share where I have admin rights, and set permissions on a particular directory for NETWORK SERVICE. (e.g. I can go to \\MYSHARE in Windows Explorer, right-click one of the directories, go to Security > Edit > Add, type "NETWORK SERVICE" in the "Enter the object names to select" box and click OK. Now I have a new NETWORK SERVICE entry in the list of "Group or user names", and I can change the permissions for it, just like I might change permissions for the "Users" group.)




If NETWORK SERVICE is strictly a machine-by-machine account, I don't understand what is supposed to happen when I create a set of permissions for NETWORK SERVICE on a remote share. Does that entry refer to NETWORK SERVICE on one particular (unspecified) machine? To judge by the icon, the permissions are technically for a NETWORK SERVICE group, rather than than a NETWORK SERVICE user. But I can't seem to find any documentation for a NETWORK SERVICE group or how it might work compared to a regular domain group.



My only guess so far is that, if you grant access to the NETWORK SERVICE group (assuming there is such a thing), this amounts to granting access to all the "computer accounts" on the whole domain. (That is, giving permissions to NETWORK SERVICE on a central file server would be the same as giving permissions to MYDOMAIN\SERVERA$, MYDOMAIN\SERVERB$, MYDOMAIN\SERVERC$, ..., MYDOMAIN\MYLASTSERVER$.)


Answer



NETWORK SERVICE is a well known account. It has the same SID on every machine. You are correct that NETWORK SERVICE on MachineA will not authenticate as NETWORK SERVICE on MachineB. It's not a group, it is an account.



It's very rare that you would be setting NETWORK SERVICE permission (share or NTFS) on a share. This would only be necessary if a service on the local machine, running under the credentials of NETWORK SERVICE, was trying to connect to that share on the local host.



When a service logging on as NETWORK SERVICE tries to connect to a remote machine the credentials of the local machine will be used. So if a service is running on MachineA in the domain example.com then that service would connect to MachineB as Machine@example.com (or example\MachineA if you like NetBIOS style names).



No comments:

Post a Comment

linux - How to SSH to ec2 instance in VPC private subnet via NAT server

I have created a VPC in aws with a public subnet and a private subnet. The private subnet does not have direct access to external network. S...