I've created a window's service that monitors files on a specific directory on our Windows OS. When a file is detected, the service does some file I/O, reads the files, creates sub-directories, etc. This service also uses database connectivity to connect to another server. My plan is to have the service run as the default "Local Service" account. Since I need to allow write/read privileges, which apparently the "Local Service" account does not do by default, I'm going to explicitly set "Full Control" privileges for the "Local Service" account on the folder that I'm reading/writing to and from.
I believe the above is a good . My question is, for the folder that I'm reading and writing to, do I need to setup a "Network Service" role with full control access? I'm wondering since my service uses database connectivity to another server, if I'll need the "Network Service" account setup.
I may be misunderstanding what the "Network Service" account does.
Best Answer
The
NT AUTHORITY\NetworkService
account is only needed when you're communicating with other computers in a domain that need your machine's credentials for access control. It is not required for simple Internet/network access. It is only necessary for specific purposes in an Active Directory domain.Also the entire point of the
NT AUTHORITY\LocalService
account is that it has minimum privileges on the system. Giving it more privileged decreases the security of the many services on your system designed to run at the low privilege level it was designed to proffer. If your service requires privileges above and beyond those, you should create a new account for it with the necessary privileges and set that account in the Log On tab of the service's properties. (This can also be done programatically.)You could also run it using the
NT AUTORITY\LocalSystem
account, which has unlimited access to your system, but I assume you wanted to use theLocalService
account for the increased security it provides.