Creating Service Accounts
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2
Like users, services have accounts and authenticate to the network operating system. This ensures that only authorized services are able to complete tasks, and protects against attackers who create unauthorized services to infiltrate network systems.
Most service accounts are created automatically when a service is installed. Similarly, applications that act as services, such as print spoolers or messaging services, create accounts automatically to complete their tasks. Therefore, in general, you do not need to create or modify service accounts. However, if service accounts are deleted accidentally, you must recreate them manually.
Creating service accounts is similar to creating user accounts. The only additional configuration step that is needed is to set the service principal name (SPN) for the account. This needs to be done to ensure mutual authentication. For example, in the case of a web server, a SPN of http/hostname might need to be set for the service account. The SPN can be set for the account by using the Setspn utility. For more information about Setspn, in Help and Support Center for Windows Server 2003, click Tools, and then click Install Windows Support Tools.
There are also built-in service accounts that use the computer account credentials by default for network authentication. These include the LocalSystem account, which was already present in Windows 2000. However, LocalSystem is a privileged account and should be used only when required.
Windows Server 2003 includes the following new security contexts to provide a means by which you can further secure network service accounts:
LocalService. This context is intended for services that run with limited access on local computers and do not require network authentication. In this way, a compromised service can do limited damage to the local computer and no damage to network computers.
NetworkService. This context is intended for services that need to complete tasks on the network, but require only restricted local capabilities.