Managing Accounts and Privileges

Applies To: Windows Server 2008

By default, the Microsoft Distributed Transaction Coordinator (MS DTC) runs under the Network Service account, which is specifically designed to allow services such as the Distributed Transaction Coordinator service (MSDTC) to run with the appropriate set of privileges and a minimized risk of attack.

The Network Service account provides the following privileges to the MS DTC:

  • Exclusive access to the MS DTC log

    Because the MS DTC log stores the outcomes of transactions, tampering with the log can cause serious data corruption in a resource manager's database. In addition, the MS DTC log stores XA open strings (which are currently encrypted) that can include passwords for accessing XA databases. Therefore, only the MS DTC has write access to the MS DTC log.

    You can use the Component Services snap-in to change the location of the MS DTC log. The default location is %windir%\system32\MSDtc, but you can change this to any directory that resides on a fixed drive on the local computer. When the log is moved, a new access control list (ACL) is automatically added to the new directory, specifying that only users that are logged in as Network Service can access this directory.

  • Exclusive access to the MS DTC registry settings

    The registry stores several types of MS DTC information that must be kept safe to avoid tampering or serious data corruption of the resource manager's database. This information includes the name of the MS DTC log, security settings, communication contact information, and other configuration data. The MS DTC has read-only access to the registry settings.

  • Access to the Cluster service

    The MS DTC must be run under an account that has access to the Cluster service. Network Service is automatically granted full access to the cluster when the cluster is installed.