Solved

NT system generated accounts

Posted on 2010-08-24
10
374 Views
Last Modified: 2013-12-04
Hey guys,
This is more of just a question, rather than a request for a solution. I was told when a Windows NT pc or server is built, a system account is automatically created. I was also told that this system account has no password, and uses an anonymous logon.

Can someone shed some light on this? Help me understand these statements... is this truly the case? Thanks guys.
0
Comment
Question by:isaacr25
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 3
  • 2
10 Comments
 
LVL 30

Accepted Solution

by:
Rich Weissler earned 250 total points
ID: 33511011
> a system account is automatically created.
Yes
http://support.microsoft.com/kb/120929
"The system account and the administrator account (Administrators group) have the same file privileges, but they have different functions. The system account is used by the operating system and by services that run under Windows. There are many services and processes within Windows that need the capability to log on internally (for example during a Windows installation). The system account was designed for that purpose; it is an internal account, does not show up in User Manager, cannot be added to any groups, and cannot have user rights assigned to it. On the other hand, the system account does show up on an NTFS volume in File Manager in the Permissions portion of the Security menu. By default, the system account is granted full control to all files on an NTFS volume. Here the system account has the same functional privileges as the administrator account. "

> this system account has no password,
Yes
http://msdn.microsoft.com/en-us/library/ms684190%28VS.85%29.aspx
"The name of the account in all locales is .\LocalSystem. The name, LocalSystem or ComputerName\LocalSystem can also be used. This account does not have a password. "

> uses an anonymous logon.
Not really - It's using it's own special type of logon.  *worry*  Does that help?

0
 

Author Comment

by:isaacr25
ID: 33512282
Very helpful. Does this pose any security issues? If not, how are the security risks mitigated?
0
 
LVL 30

Assisted Solution

by:Rich Weissler
Rich Weissler earned 250 total points
ID: 33512398
Yes, it does pose some security concerns, but programs have to run under some security context... so in some ways its a protected account.  (I haven't looked at a *nix system in a while, but I believe the roughly equivalent concept would be the daemon accounts used to run services that also don't have real passwords, so they can't be used to log in...)

The system account can't be used to log into a system, and you usually need elevated privileges to run a program under system account permissions.  It's one of the targets for hackers, so when something is discovered that does allow access, the update to close that hole is usually forthcoming as a critical security patch...
0
Use Case: Protecting a Hybrid Cloud Infrastructure

Microsoft Azure is rapidly becoming the norm in dynamic IT environments. This document describes the challenges that organizations face when protecting data in a hybrid cloud IT environment and presents a use case to demonstrate how Acronis Backup protects all data.

 
LVL 3

Assisted Solution

by:Emileneth
Emileneth earned 250 total points
ID: 33524740
-System is the default for automated application that needs to run in high privilege all the time, like Windows Installer service
-System is not accessible for "outside" login
-This account dont need password, pre-authorized via privileged install
-Cannot have personal profile folders, can use the All folders and drives

-Local Service and Network Service account are similar but dont work with privileges, useful for already installed services like apache that once installed dont need privileges anymore
-Local Service is intended to be accessed only from local host in client server model
Network Service is intended to be accessed anywhere in client server model
-This accounts dont need passwords, pre-authorized via privileged install
-Have its special "Documents and Settings" to store its stuff like any low priv. user

-Sadly this security model is not used properly by MS or 3rd parties

-Hackers target for Administrator. Or exploit some unsecure buffer in any process running at high level, to get Administrator ultimately

* Only console accounts can run processes with windows
0
 
LVL 3

Assisted Solution

by:Emileneth
Emileneth earned 250 total points
ID: 33524930
In last post

About console accounts
Do not get confused with "console apps", windows is a GUI OS, a console account is the ones with access to the GUI, even windows termial services are graphical.
Services are windowless and work similar as "win32 console apps", in wich case any attempt to interact with te UI via a hacked service is denied, usualy trojans drop a windows app for this means
0
 

Author Comment

by:isaacr25
ID: 33525004
Great info guys!

Another question: would any activity by these system accounts have the same event id as an actual person logging onto his/her pc, for instance?
0
 
LVL 3

Expert Comment

by:Emileneth
ID: 33525048
Generally events are rised by applications, but the "Auditory" service drops the same event id with the user as parameter
0
 
LVL 3

Expert Comment

by:Emileneth
ID: 33525082
Too bad that parameter is optional
0
 
LVL 3

Expert Comment

by:Emileneth
ID: 33535567
Seems like the last post was not accurate

The instance you pointed
Security events register login attempts the same way as other accounts

What i meant in the last posts was that events are rised by applications or services, windows components treat the same way the accounts, other kinds of activities needs to be logged by the applications, and most of them are not programmed to log them

Windows security logging can be configured, but is outside of this subject
0
 

Author Closing Comment

by:isaacr25
ID: 33535978
Thanks guys! Great info!
0

Featured Post

Forrester Webinar: xMatters Delivers 261% ROI

Guest speaker Dean Davison, Forrester Principal Consultant, explains how a Fortune 500 communication company using xMatters found these results: Achieved a 261% ROI, Experienced $753,280 in net present value benefits over 3 years and Reduced MTTR by 91% for tier 1 incidents.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Container Orchestration platforms empower organizations to scale their apps at an exceptional rate. This is the reason numerous innovation-driven companies are moving apps to an appropriated datacenter wide platform that empowers them to scale at a …
When you try to extract and to view the contents of a Microsoft Update Standalone Package (MSU) for Windows Vista, you cannot extract the files from the MSU. Here we are going to explain how to extract those hotfix details without using any third pa…
As developers, we are not limited to the functions provided by the VBA language. In addition, we can call the functions that are part of the Windows operating system. These functions are part of the Windows API (Application Programming Interface). U…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

730 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question