Service isolation in Windows is available after Windows Vista and Server 2008, allowing administrators to control the use of local resources (such as files, registry, and so on). Before the Windows version, the system built up a number of high-privileged service accounts, we are familiar with the local System,network,localservice
In order to minimize the use of permissions, usually we need to create an account to give the minimum permissions, and then configure the service to run with this account, but if the service is more, then there are many accounts to maintain, and if you have a strict password policy, such as regularly to change the service account password, it is really a headache.
The Service SID in Window (another salutation, virutal account) can be enabled for each service, which allows the administrator to isolate the resources used by the service against the services SID. You do not have to maintain the password for the service account. The service SID account accesses the network resource using the credentials that are the computer account, domainname\computername$.
Create a service ID to use
SC Sidtype <service_name> Unrestricted
SC sidtype <service_name> restricted
Of course, you can also use SC qsidtype <serviec_name> to query the service SID, which I'm querying against Microsoft's scom Agent health service.
650) this.width=650; "title=" C73fb824-d433-4e5c-9906-abf63bab90a1snip "style=" border-top:0px; border-right:0px; Background-image:none; border-bottom:0px; padding-top:0px; padding-left:0px; border-left:0px; padding-right:0px "border=" 0 "alt=" C73fb824-d433-4e5c-9906-abf63bab90a1snip "src=" http://s3.51cto.com/wyfs02/M02/ 86/69/wkiol1e-wbytfolnaaaoceoz9yo810.png "" 381 "height=" 176 "/>
There are three kinds of sidtype
The service SID is a string of SHA1 hashes when the services are configured to use the server SID (regardless of restricted or unrestricted). If you want to see the specific value of this SID, you can use the
SC showsid <servicename>
650) this.width=650; "title=" C140be01-2a35-435b-b609-ef83cdacd1afsnip "style=" border-top:0px; border-right:0px; Background-image:none; border-bottom:0px; padding-top:0px; padding-left:0px; border-left:0px; padding-right:0px "border=" 0 "alt=" C140be01-2a35-435b-b609-ef83cdacd1afsnip "src=" http://s3.51cto.com/wyfs02/M02/ 86/69/wkiom1e-wb3bgvdjaaakvbku4n4019.png "" 630 "height=" 172 "/>
Then let's see Wsearch's execution account configured as Local System account
650) this.width=650; "title=" D7699158-e4ed-4a5f-a4c4-790520508de0snip "style=" border-top:0px; border-right:0px; Background-image:none; border-bottom:0px; padding-top:0px; padding-left:0px; border-left:0px; padding-right:0px "border=" 0 "alt=" D7699158-e4ed-4a5f-a4c4-790520508de0snip "src=" http://s3.51cto.com/wyfs02/M02/ 86/69/wkiol1e-wb6z-y_yaaanfgrt9t8956.png "" 472 "height=" 310 "/>
What does this service SID do, take SQL Server, for example, the previous version of SQL Server R2 will leave the local System account in the database sysadmin by default, but after SQL Server 2012 is not released, then Before if you have a service running in the local system account, such as our scom monitoring service access to SQL should be no permissions problem, but on SQL Server 2012, you may need additional settings, because this time will not have permissions. At this point I assume that you have enabled the service SID for the Scom Monitoring Client service, and the NT Service\healthservice token will be added to the HealthService service process, if you create NT in SQL alone Service\healthservice login, and give the appropriate permissions, the HealthService is running in the local system account, but he can access SQL. Then you may have another service B is also running with the local System account, but this SQL permission only gives the HealthService service, and this service B does not have access to SQL. (Prior to the absence of a service SID, you might have a single brain power to the local system, and all services that use the Local system login have access to SQL).
So where does the service SID work? This is the ultimate purpose of this article. If you use scom to monitor SQL, then you may have a headache with the problem of performing account management for later SQL Server. This problem can be easily solved by using the service SID, and then there are individuals who specifically created a Management pack that can monitor the HealthService service SID on the machine with SQL Server on, You can then use the recovery task to turn it on (this restore task is disabled by default). You can then also monitor the HealthService SID account for any database permissions. Refer to this link:
Windows built-in System account permissions and role reference:
LocalService Account (preferred)
A Limited Service account, very similar to Network service, and meant to run, standard least-privileged services. However, unlike network Service it has have
no ability to access the Network
as the machine accesses the net Work as an Anonymous user.
mango$) to remote servers
NETWORK SERVICEinto the Select User or Group dialog
Limited service account, which is meant to run, standard least-privileged services. This account was far more limited than Local System (or even Administrator) but still have the right to access the network a s the machine (see caveat above).
LocalSystem Account (dangerous, don ' t use!)
.\LocalSystem(can also use
HKCUrepresents the default user)
MANGO$) to remote servers
Services isolation and Service SID (Virtual account) in Windows