I have been reading up on security in Windows Server, and the documentation on msdn seems to suggest to use the new service accounts - Managed Service Account or Virtual Account to install services like IIS or SQL Server to run using low privilege accounts
specially designed to run these kind of services. At any rate, they shouldn't be running as Local System, which is a high privilege account.
I also read that under 2008 R2, the installation procedure automatically creates a virtual account for a particular service using the same name for the virtual account as the service name.
However, I tried installing the Web Server (IIS) role on Windows Server 2008 R2 twice now, and it installs the Web Server Service (World Wide Web Publishing Service - W3SVC) running path to executable C:\Windows\system32\scvhost.exe -k iissvcs to run as Local
System.
The first time, I was logged in as the administrator on the local machine. When it didn't work, I removed the role entirely, and then logged in to the system as the domain administrator, and it still installed it as Local System instead of a Virtual Account.
What gives?
I need to change it to run as either an MSA or a VA. Before I take a decision on which one to use, I just need one more piece of advice.
The idea behind the web server is that the web server itself (or the service account it is running on) does not need to access any network resources. I understand that to access any network resources, it is recommended to use MSA instead of VA, because the
VA tends to act as Local System when accessing the network. But doesn't this in itself pose a security risk that could be exploited if the system were to be compromised, even if network resources are not to be accessed in the original design of the system?
Also, the plan is that the web server will impersonate other domain users when trying to access SQL Server, which is located on a different server within the network. Does this impersonation still count as accessing network resources by the service account
IIS is running on? Or by impersonating, does the underlying service account not actually access any network resources, but all the accessing is done only by the account being impersonated?
So all said, which type would be better for my requirement - MSA, or VA?
↧
IIS 7 getting installed as Local System on Windows Server 2008 R2
↧