Solved

NT system generated accounts

Posted on 2010-08-24
10
370 Views
Last Modified: 2013-12-04
Hey guys,
This is more of just a question, rather than a request for a solution. I was told when a Windows NT pc or server is built, a system account is automatically created. I was also told that this system account has no password, and uses an anonymous logon.

Can someone shed some light on this? Help me understand these statements... is this truly the case? Thanks guys.
0
Comment
Question by:isaacr25
  • 5
  • 3
  • 2
10 Comments
 
LVL 29

Accepted Solution

by:
Rich Weissler earned 250 total points
ID: 33511011
> a system account is automatically created.
Yes
http://support.microsoft.com/kb/120929
"The system account and the administrator account (Administrators group) have the same file privileges, but they have different functions. The system account is used by the operating system and by services that run under Windows. There are many services and processes within Windows that need the capability to log on internally (for example during a Windows installation). The system account was designed for that purpose; it is an internal account, does not show up in User Manager, cannot be added to any groups, and cannot have user rights assigned to it. On the other hand, the system account does show up on an NTFS volume in File Manager in the Permissions portion of the Security menu. By default, the system account is granted full control to all files on an NTFS volume. Here the system account has the same functional privileges as the administrator account. "

> this system account has no password,
Yes
http://msdn.microsoft.com/en-us/library/ms684190%28VS.85%29.aspx
"The name of the account in all locales is .\LocalSystem. The name, LocalSystem or ComputerName\LocalSystem can also be used. This account does not have a password. "

> uses an anonymous logon.
Not really - It's using it's own special type of logon.  *worry*  Does that help?

0
 

Author Comment

by:isaacr25
ID: 33512282
Very helpful. Does this pose any security issues? If not, how are the security risks mitigated?
0
 
LVL 29

Assisted Solution

by:Rich Weissler
Rich Weissler earned 250 total points
ID: 33512398
Yes, it does pose some security concerns, but programs have to run under some security context... so in some ways its a protected account.  (I haven't looked at a *nix system in a while, but I believe the roughly equivalent concept would be the daemon accounts used to run services that also don't have real passwords, so they can't be used to log in...)

The system account can't be used to log into a system, and you usually need elevated privileges to run a program under system account permissions.  It's one of the targets for hackers, so when something is discovered that does allow access, the update to close that hole is usually forthcoming as a critical security patch...
0
 
LVL 3

Assisted Solution

by:Emileneth
Emileneth earned 250 total points
ID: 33524740
-System is the default for automated application that needs to run in high privilege all the time, like Windows Installer service
-System is not accessible for "outside" login
-This account dont need password, pre-authorized via privileged install
-Cannot have personal profile folders, can use the All folders and drives

-Local Service and Network Service account are similar but dont work with privileges, useful for already installed services like apache that once installed dont need privileges anymore
-Local Service is intended to be accessed only from local host in client server model
Network Service is intended to be accessed anywhere in client server model
-This accounts dont need passwords, pre-authorized via privileged install
-Have its special "Documents and Settings" to store its stuff like any low priv. user

-Sadly this security model is not used properly by MS or 3rd parties

-Hackers target for Administrator. Or exploit some unsecure buffer in any process running at high level, to get Administrator ultimately

* Only console accounts can run processes with windows
0
 
LVL 3

Assisted Solution

by:Emileneth
Emileneth earned 250 total points
ID: 33524930
In last post

About console accounts
Do not get confused with "console apps", windows is a GUI OS, a console account is the ones with access to the GUI, even windows termial services are graphical.
Services are windowless and work similar as "win32 console apps", in wich case any attempt to interact with te UI via a hacked service is denied, usualy trojans drop a windows app for this means
0
Why spend so long doing email signature updates?

Do you spend loads of your time carrying out email signature updates? Not very interesting are they? Don’t let signature updates get you down. Let Exclaimer Cloud - Signatures for Office 365 make managing email signatures a breeze.

 

Author Comment

by:isaacr25
ID: 33525004
Great info guys!

Another question: would any activity by these system accounts have the same event id as an actual person logging onto his/her pc, for instance?
0
 
LVL 3

Expert Comment

by:Emileneth
ID: 33525048
Generally events are rised by applications, but the "Auditory" service drops the same event id with the user as parameter
0
 
LVL 3

Expert Comment

by:Emileneth
ID: 33525082
Too bad that parameter is optional
0
 
LVL 3

Expert Comment

by:Emileneth
ID: 33535567
Seems like the last post was not accurate

The instance you pointed
Security events register login attempts the same way as other accounts

What i meant in the last posts was that events are rised by applications or services, windows components treat the same way the accounts, other kinds of activities needs to be logged by the applications, and most of them are not programmed to log them

Windows security logging can be configured, but is outside of this subject
0
 

Author Closing Comment

by:isaacr25
ID: 33535978
Thanks guys! Great info!
0

Featured Post

Are end users causing IT problems again?

You’ve taken the time to design and update all your end user’s email signatures, only to find out they’re messing up the HTML, changing the font and ruining the imagery. What can you do to prevent this? Find out how you can save your signatures from end users today.

Join & Write a Comment

Recently Microsoft released a brand new function called CONCAT. It's supposed to replace its predecessor CONCATENATE. But how does it work? And what's new? In this article, we take a closer look at all of this - we even included an exercise file for…
This is an article about Leadership and accepting and adapting to new challenges. It focuses mostly on upgrading to Windows 10.
Windows 8 comes with a dramatically different user interface known as Metro. Notably missing from the new interface is a Start button and Start Menu. Many users do not like it, much preferring the interface of earlier versions — Windows 7, Windows X…
The viewer will learn how to successfully create a multiboot device using the SARDU utility on Windows 7. Start the SARDU utility: Change the image directory to wherever you store your ISOs, this will prevent you from having 2 copies of an ISO wit…

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now