Directory Services |
A domain user account enables the service to take full advantage of the service security features of Microsoft® Windows 2000 and Microsoft Active Directory®. The service has whatever local and network access is granted to the account, or to any groups of which the account is a member. The service can support Kerberos mutual authentication.
The advantage of using a domain user account is that the service's actions are limited by the access rights and privileges associated with the account. Unlike a LocalSystem service, bugs in a user-account service cannot damage the system. If the service is compromised by a security attack, the damage is limited to the operations that the system allows the user account to perform. At the same time, clients running at varying privilege levels can connect to the service, which enables the service to impersonate a client to perform sensitive operations.
Be aware that a service's user account should not be a member of any administrators groups, that is local, domain, or enterprise. If your service needs local administrative privileges, run under the LocalSystem account. For operations that require domain administrative privileges, perform them by impersonating the security context of a client application.
A service instance that uses a domain user account requires periodic administrative action to maintain the account password. The service control manager (SCM) on the host computer of a service instance caches the account password for use in logging on the service. So when you change the account password, you must also update the cached password on the host computer where the service is installed. For more information and a code example, see Changing the Password on a Service's User Account. You could avoid the regular maintenance by leaving the password unchanged, but that would increase your vulnerability to a password attack on the service account. Be aware that even though the SCM stores the password in a secure portion of the registry, it is nevertheless subject to attack.
A domain user account has two name formats that programmers must handle for various operations: the distinguished name of the user object in the directory and the domain\username format used by the local service control manager. For more information and a code example that converts from one format to the other, see Converting Domain Account Name Formats.