Logon As A Service
Nodinite has many Windows Services that you install on one or more servers. Depending on features provided, these Windows Services must be assigned different access rights on Windows Servers, databases and queues to name a few. On this page you will learn what least privilege is required for a Windows Service to run on Windows Server.
We, the people behind Nodinite have designed most of our Monitoring Agents to run with minimum permissions (least privileges) in mind.
- Each Windows Service can run with the same account or you can use different accounts for each instance installed
- Having separate accounts means additional administration
- Having separate account means you can fine tune as needed
- Some Monitoring Agents require the account being part of the local administrators group, see the prerequisites page for each agent to learn more about specific rights
- Make sure to use service accounts and not accounts assigned with physical persons
- Make sure the service accounts have the 'Password never expires policy'
- Make sure you document accounts and passwords
Only processes with Administrative privileges are able to open handles to the SCM (Service Control Manager) that can be used by the CreateService and LockServiceDatabase functions (see the following MSDN 'Service Security and Access Rights' article for details).
The minimum user permissions required to run a Windows service is the Log on as a service right which is a local policy set by an administrator on server level or domain level using group policies.
This security setting allows a security principal to log on as a service. Services can be configured to run under the Local System, Local Service, or Network Service accounts, which have a built in right to log on as a service. Any service that runs under a separate user account must be assigned the right.
Note: The default setting in Windows is: None (!) This means the account either needs to be local administrator or manually assigned this right
Open Administrative Tools in Control Panel
Open Local Security Policy
Add the account to use for policy 'Log on as a service'. The account if in use needs to logon/restart to acquire the new set of privileges.
Nodinite Service Accounts are used for:
- Monitoring Service - Shared or specific Windows Service Account
- Logging Service - Shared or specific Windows Service Account
- Monitoring Agents - Shared or specific Windows Service Account and for some also review the Monitoring Agent Database
- Logging Agents - Shared or specific Windows Service Account and sometimes with read/write access to the Configuration Database
Note: AppPool accounts are not required to be part of the local administrators group. If the accounts used are not local admin then add them to the IIS_IUSRS group instead and make sure the accounts have read/change/write permissions on folders where installed.