Background: I'm writing a service and want to give it as few privileges as necessary.
Virtual Accounts (sometimes "Virtual Service Accounts") are sparsely documented feature new to Windows 7/2008R2 that are automatically managed accounts for services that need minimal privileges but access the network with a computer identity in a domain environment.
My service doesn't need network access, so I'm using LocalService, but I don't like the fact that if I grant access to a file/etc I granting access to all services running as that account.
Is there a least privileged account I can use?
You don't need to change the account the service runs under;
LocalServiceis fine.Instead, configure the service to have a non-zero SID type, i.e., specify either
SERVICE_SID_TYPE_UNRESTRICTEDorSERVICE_SID_TYPE_RESTRICTED. You can do this using the ChangeServiceConfig2() function and theSERVICE_CONFIG_SERVICE_SID_INFOoption.You can then grant access to files and other protected resources using the service SID, whose name is
NT SERVICE\myservice, rather thanLocalService. This will grant access to only your service. (Well, and any other services sharing the same process, but most third-party services run in their own process.)For least privilege, use
SERVICE_SID_TYPE_RESTRICTED. This means that the service can only access protected objects that explicitly grant access to eitherEveryone, the service SID, the logon session SID, orWRITE_RESTRICTED. You should also use theSERVICE_CONFIG_REQUIRED_PRIVILEGES_INFOoption to reduce the privileges granted to the service; many services do not need any privileges at all. (In that case, you may find that you need to specifySE_CHANGE_NOTIFY_NAMErather than an empty list, though I might be misremembering.)