protection mechanism of account networkservice

[Gabriele]

The NetworkService account is a built-in system account that has the
privileges of an authenticated user; therefore, it provides an alternative
to running services under the LocalSystem account. There is no lockout
policy for the NetworkService account because it is not password-protected.
The protection mechanism is that only a process running under the
LocalSystem account can perform a NetworkService (or LocalService) logon and
it must be a service-type logon.


What is this "protection mechanism " ?

I have never heard it .

thanks and best regards .

 

[Dean Wells \(MVP\)]

Can you provide the source of the information? I'm certainly not saying
it's not protected, I'm more interested in the article's context and
verbiage.

To try and address your question, I'll give you my best hip-shot answer
which is this -- to install a service in the first place requires
Administrative privilege, which is deemed indirect protection. In
addition, the NetworkService account's local access equates to that of
the local "Users" group while, for remote tasks, it assumes the identity
of the local computer.

 

[Gabriele]

Can you provide the source of the information?

From the book Microsoft Windows server 2003 resourse kit by Tony Northrup ,
cap. 7 "managing system services " , account LocalNetwork .

May be for this reason :

LocalSystem enables access to local resources only .
When a service runs under the LocalSystem account, it can access only local
resources, unless another account is used for network access. Therefore,
services that run under LocalSystem use the NetworkService account for
network access. The name of the account is NT AUTHORITY\NetworkService. This
account does not have a password.


Thankyou

 

[Dean Wells \(MVP\)]

Thanks ... I have nothing further then over and above my original point.