Services isolation and Service SID (Virtual account) in Windows

Service isolation in Windows is available after Windows Vista and Server 2008, allowing administrators to control the use of local resources (such as files, registry, and so on). Before the Windows version, the system built up a number of high-privileged service accounts, we are familiar with the local System,network,localservice

In order to minimize the use of permissions, usually we need to create an account to give the minimum permissions, and then configure the service to run with this account, but if the service is more, then there are many accounts to maintain, and if you have a strict password policy, such as regularly to change the service account password, it is really a headache.

The Service SID in Window (another salutation, virutal account) can be enabled for each service, which allows the administrator to isolate the resources used by the service against the services SID. You do not have to maintain the password for the service account. The service SID account accesses the network resource using the credentials that are the computer account, domainname\computername$.

Create a service ID to use

SC Sidtype <service_name> Unrestricted

SC sidtype <service_name> restricted

Of course, you can also use SC qsidtype <serviec_name> to query the service SID, which I'm querying against Microsoft's scom Agent health service.

650) this.width=650; "title=" C73fb824-d433-4e5c-9906-abf63bab90a1snip "style=" border-top:0px; border-right:0px; Background-image:none; border-bottom:0px; padding-top:0px; padding-left:0px; border-left:0px; padding-right:0px "border=" 0 "alt=" C73fb824-d433-4e5c-9906-abf63bab90a1snip "src=" http://s3.51cto.com/wyfs02/M02/ 86/69/wkiol1e-wbytfolnaaaoceoz9yo810.png "" 381 "height=" 176 "/>

There are three kinds of sidtype

• None (0x0), Haven service won't have a per-service SID. Service is set to none by default
• Unrestricted (0x1), Haven Service has a Per-service SID Services has a service SID
• Restricted (0x3), Haven Service has a per-service Sid and a write-restricted token. Services have a service SID, plus Write protection labels.

The service SID is a string of SHA1 hashes when the services are configured to use the server SID (regardless of restricted or unrestricted). If you want to see the specific value of this SID, you can use the

SC showsid <servicename>

650) this.width=650; "title=" C140be01-2a35-435b-b609-ef83cdacd1afsnip "style=" border-top:0px; border-right:0px; Background-image:none; border-bottom:0px; padding-top:0px; padding-left:0px; border-left:0px; padding-right:0px "border=" 0 "alt=" C140be01-2a35-435b-b609-ef83cdacd1afsnip "src=" http://s3.51cto.com/wyfs02/M02/ 86/69/wkiom1e-wb3bgvdjaaakvbku4n4019.png "" 630 "height=" 172 "/>

Then let's see Wsearch's execution account configured as Local System account

650) this.width=650; "title=" D7699158-e4ed-4a5f-a4c4-790520508de0snip "style=" border-top:0px; border-right:0px; Background-image:none; border-bottom:0px; padding-top:0px; padding-left:0px; border-left:0px; padding-right:0px "border=" 0 "alt=" D7699158-e4ed-4a5f-a4c4-790520508de0snip "src=" http://s3.51cto.com/wyfs02/M02/ 86/69/wkiol1e-wb6z-y_yaaanfgrt9t8956.png "" 472 "height=" 310 "/>

What does this service SID do, take SQL Server, for example, the previous version of SQL Server R2 will leave the local System account in the database sysadmin by default, but after SQL Server 2012 is not released, then Before if you have a service running in the local system account, such as our scom monitoring service access to SQL should be no permissions problem, but on SQL Server 2012, you may need additional settings, because this time will not have permissions. At this point I assume that you have enabled the service SID for the Scom Monitoring Client service, and the NT Service\healthservice token will be added to the HealthService service process, if you create NT in SQL alone Service\healthservice login, and give the appropriate permissions, the HealthService is running in the local system account, but he can access SQL. Then you may have another service B is also running with the local System account, but this SQL permission only gives the HealthService service, and this service B does not have access to SQL. (Prior to the absence of a service SID, you might have a single brain power to the local system, and all services that use the Local system login have access to SQL).

So where does the service SID work? This is the ultimate purpose of this article. If you use scom to monitor SQL, then you may have a headache with the problem of performing account management for later SQL Server. This problem can be easily solved by using the service SID, and then there are individuals who specifically created a Management pack that can monitor the HealthService service SID on the machine with SQL Server on, You can then use the recovery task to turn it on (this restore task is disabled by default). You can then also monitor the HealthService SID account for any database permissions. Refer to this link:

Https://gallery.technet.microsoft.com/SQL-Server-RunAs-Addendum-0c183c32#content

Windows built-in System account permissions and role reference:

• LocalService Account (preferred)

  • Name:NT AUTHORITY\LocalService
  • The account have no password (any password information-provide is ignored)
  • HKCU represents the LocalService user account
  • have minimal privileges on the local computer
  • Presents anonymous credentials on the network
  • SID: s-1-5-19
  • Has it own profile under the HKEY_USERS registry key ( HKEY_USERS\S-1-5-19 )

  A Limited Service account, very similar to Network service, and meant to run, standard least-privileged services. However, unlike network Service it has have no ability to access the Network as the machine accesses the net Work as an Anonymous user.

• NetworkService account

  • NT authority\networkservice
  • the Account have no password (any password information-provide is ignored)
  • HKCU represents the networ Kservice user account
  • have minimal privileges on the local computer
  • presents th E computer ' s credentials (e.g. mango$ ) to remote servers
  • SID : s-1-5-20
  • has it own profile under the HKEY_USERS registry key ( hkey_users\s-1-5-20 )
  if trying to schedule a task using it, enter NETWORK SERVICE into the Select User or Group dialog

  Limited service account, which is meant to run, standard least-privileged services. This account was far more limited than Local System (or even Administrator) but still have the right to access the network a s the machine (see caveat above).

• LocalSystem Account (dangerous, don ' t use!)

  • Name: .\LocalSystem (can also use LocalSystem or ComputerName\LocalSystem )
  • The account have no password (any password information-provide is ignored)
  • SID: s-1-5-18
  • Does not has any profiles of its own ( HKCU represents the default user)
  • have extensive privileges on the local computer
  • Presents the computer ' s credentials (e.g. MANGO$ ) to remote servers

http://windowsitpro.com/security/ q-how-can-security-windows-service-benefit-service-isolation-feature-how-can-i-set-service-

Https://blogs.technet.microsoft.com/voy/2007/03/22/per-service-sid/

https://support.microsoft.com/en-us/kb/2620201

Http://thoughtsonopsmgr.blogspot.com/2014/09/sql-mp-challenge-run-as-accounts.html

Services isolation and Service SID (Virtual account) in Windows