[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 378
  • Last Modified:

NT system generated accounts

Hey guys,
This is more of just a question, rather than a request for a solution. I was told when a Windows NT pc or server is built, a system account is automatically created. I was also told that this system account has no password, and uses an anonymous logon.

Can someone shed some light on this? Help me understand these statements... is this truly the case? Thanks guys.
0
isaacr25
Asked:
isaacr25
  • 5
  • 3
  • 2
4 Solutions
 
Rich WeisslerProfessional Troublemaker^h^h^h^h^hshooterCommented:
> a system account is automatically created.
Yes
http://support.microsoft.com/kb/120929
"The system account and the administrator account (Administrators group) have the same file privileges, but they have different functions. The system account is used by the operating system and by services that run under Windows. There are many services and processes within Windows that need the capability to log on internally (for example during a Windows installation). The system account was designed for that purpose; it is an internal account, does not show up in User Manager, cannot be added to any groups, and cannot have user rights assigned to it. On the other hand, the system account does show up on an NTFS volume in File Manager in the Permissions portion of the Security menu. By default, the system account is granted full control to all files on an NTFS volume. Here the system account has the same functional privileges as the administrator account. "

> this system account has no password,
Yes
http://msdn.microsoft.com/en-us/library/ms684190%28VS.85%29.aspx
"The name of the account in all locales is .\LocalSystem. The name, LocalSystem or ComputerName\LocalSystem can also be used. This account does not have a password. "

> uses an anonymous logon.
Not really - It's using it's own special type of logon.  *worry*  Does that help?

0
 
isaacr25Author Commented:
Very helpful. Does this pose any security issues? If not, how are the security risks mitigated?
0
 
Rich WeisslerProfessional Troublemaker^h^h^h^h^hshooterCommented:
Yes, it does pose some security concerns, but programs have to run under some security context... so in some ways its a protected account.  (I haven't looked at a *nix system in a while, but I believe the roughly equivalent concept would be the daemon accounts used to run services that also don't have real passwords, so they can't be used to log in...)

The system account can't be used to log into a system, and you usually need elevated privileges to run a program under system account permissions.  It's one of the targets for hackers, so when something is discovered that does allow access, the update to close that hole is usually forthcoming as a critical security patch...
0
A Cyber Security RX to Protect Your Organization

Join us on December 13th for a webinar to learn how medical providers can defend against malware with a cyber security "Rx" that supports a healthy technology adoption plan for every healthcare organization.

 
EmilenethCommented:
-System is the default for automated application that needs to run in high privilege all the time, like Windows Installer service
-System is not accessible for "outside" login
-This account dont need password, pre-authorized via privileged install
-Cannot have personal profile folders, can use the All folders and drives

-Local Service and Network Service account are similar but dont work with privileges, useful for already installed services like apache that once installed dont need privileges anymore
-Local Service is intended to be accessed only from local host in client server model
Network Service is intended to be accessed anywhere in client server model
-This accounts dont need passwords, pre-authorized via privileged install
-Have its special "Documents and Settings" to store its stuff like any low priv. user

-Sadly this security model is not used properly by MS or 3rd parties

-Hackers target for Administrator. Or exploit some unsecure buffer in any process running at high level, to get Administrator ultimately

* Only console accounts can run processes with windows
0
 
EmilenethCommented:
In last post

About console accounts
Do not get confused with "console apps", windows is a GUI OS, a console account is the ones with access to the GUI, even windows termial services are graphical.
Services are windowless and work similar as "win32 console apps", in wich case any attempt to interact with te UI via a hacked service is denied, usualy trojans drop a windows app for this means
0
 
isaacr25Author Commented:
Great info guys!

Another question: would any activity by these system accounts have the same event id as an actual person logging onto his/her pc, for instance?
0
 
EmilenethCommented:
Generally events are rised by applications, but the "Auditory" service drops the same event id with the user as parameter
0
 
EmilenethCommented:
Too bad that parameter is optional
0
 
EmilenethCommented:
Seems like the last post was not accurate

The instance you pointed
Security events register login attempts the same way as other accounts

What i meant in the last posts was that events are rised by applications or services, windows components treat the same way the accounts, other kinds of activities needs to be logged by the applications, and most of them are not programmed to log them

Windows security logging can be configured, but is outside of this subject
0
 
isaacr25Author Commented:
Thanks guys! Great info!
0

Featured Post

Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

  • 5
  • 3
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now