Logon As A Service

Nodinite has many Windows Services that you install on one or more servers. Depending on features provided, these Windows Services must be assigned different access rights on Windows Servers, databases and queues to name a few. On this page you will learn what least privilege is required for a Windows Service to run on Windows Server.

Stay secure with limited rights assigned

We, the people behind Nodinite have designed most of our Monitoring Agents to run with minimum permissions (least privileges) in mind.

  • Each Windows Service can run with the same account or you can use different accounts for each instance installed
    • Having separate accounts means additional administration
    • Having separate account means you can fine tune as needed
  • Some Monitoring Agents require the account being part of the local administrators group, see the prerequisites page for each agent to learn more about specific rights
  • Make sure to use service accounts and not accounts assigned with physical persons
  • Make sure the service accounts have the 'Password never expires policy'
  • Make sure you document accounts and passwords

What are the minimum user permissions required to install a Windows service?

Only processes with Administrative privileges are able to open handles to the SCM (Service Control Manager) that can be used by the CreateService and LockServiceDatabase functions (see the following MSDN 'Service Security and Access Rights' article for details).

What are the minimum user permissions required to run a Windows service?

The minimum user permissions required to run a Windows service is the Log on as a service right which is a local policy set by an administrator on server level or domain level using group policies.

This security setting allows a security principal to log on as a service. Services can be configured to run under the Local System, Local Service, or Network Service accounts, which have a built in right to log on as a service. Any service that runs under a separate user account must be assigned the right.

Note: The default setting in Windows is: None (!) This means the account either needs to be local administrator or manually assigned this right

Add user to policy

Open Administrative Tools in Control Panel
Administrative Tools

Open Local Security Policy
LocalSecurity Policy

Add the account to use for policy 'Log on as a service'. The account if in use needs to logon/restart to acquire the new set of privileges.
Add User

Nodinite Service Accounts are used for:

Note: AppPool accounts are not required to be part of the local administrators group. If the accounts used are not local admin then add them to the IIS_IUSRS group instead and make sure the accounts have read/change/write permissions on folders where installed.


Next Step

Troubleshooting
Install Nodinite

Web Client
Release Notes
Configuration Database
Log Databases