The LocalSystem account is a predefined local account used by the service control manager. This account is not recognized by the security subsystem, so you cannot specify its name in a call to the LookupAccountName function. It has extensive privileges on the local computer, and acts as the computer on the network. Its token includes the NT AUTHORITY\SYSTEM and BUILTIN\Administrators SIDs; these accounts have access to most system objects. The name of the account in all locales is .\LocalSystem. The name, LocalSystem or ComputerName\LocalSystem can also be used. This account does not have a password. If you specify the LocalSystem account in a call to the CreateService function, any password information you provide is ignored.
A service that runs in the context of the LocalSystem account inherits the security context of the SCM. The user SID is created from the SECURITY_LOCAL_SYSTEM_RID value. The account is not associated with any logged-on user account. This has several implications:
- The registry key HKEY_CURRENT_USER is associated with the default user, not the current user. To access another user's profile, impersonate the user, then access HKEY_CURRENT_USER.
- The service can open the registry key HKEY_LOCAL_MACHINE\SECURITY.
- The service presents the computer's credentials to remote servers.
- If the service opens a command window and runs a batch file, the user could hit CTRL+C to terminate the batch file and gain access to a command window with LocalSystem permissions.
The LocalSystem account has the following privileges:
- SE_ASSIGNPRIMARYTOKEN_NAME (disabled)
- SE_AUDIT_NAME (enabled)
- SE_BACKUP_NAME (disabled)
- SE_CHANGE_NOTIFY_NAME (enabled)
- SE_CREATE_GLOBAL_NAME (enabled)
- SE_CREATE_PAGEFILE_NAME (enabled)
- SE_CREATE_PERMANENT_NAME (enabled)
- SE_CREATE_TOKEN_NAME (disabled)
- SE_DEBUG_NAME (enabled)
- SE_IMPERSONATE_NAME (enabled)
- SE_INC_BASE_PRIORITY_NAME (enabled)
- SE_INCREASE_QUOTA_NAME (disabled)
- SE_LOAD_DRIVER_NAME (disabled)
- SE_LOCK_MEMORY_NAME (enabled)
- SE_MANAGE_VOLUME_NAME (disabled)
- SE_PROF_SINGLE_PROCESS_NAME (enabled)
- SE_RESTORE_NAME (disabled)
- SE_SECURITY_NAME (disabled)
- SE_SHUTDOWN_NAME (disabled)
- SE_SYSTEM_ENVIRONMENT_NAME (disabled)
- SE_SYSTEMTIME_NAME (disabled)
- SE_TAKE_OWNERSHIP_NAME (disabled)
- SE_TCB_NAME (enabled)
- SE_UNDOCK_NAME (disabled)
-
本地系统账号
当用户登录系统时,Windows NT/2000 将验证他的密码,如果用户验证成功,系统产生一个访问令牌,它包含用户安全标示符(SID)、组SID列表、特权列表和模拟(Impersonating)信息等安全信息。该用户启动的任何进程都将附加该令牌,访问令牌代表进程的安全环境,它控制了进程与可保护对象(securable object)的交互。当进程访问一个可保护对象时,系统将该对象的访问控制列表(ACL)中的每个访问控制项(ACE)和访问令牌中的 SID 进行比较以确定进程是否可以访问该对象。由于用户启动的任何进程都将附加该用户的访问令牌,因此任何进程都知道用户的 SID 并且可以访问它。
Local System 账号是内置的系统账号,所有系统进程都在 Local System 的安全环境中运行,Local System 账号是用于启动服务的默认账号,它继承了服务控制管理器的安全环境,在本地计算机上拥有几乎无限的权限。在 Local System 账号环境运行的进程没有与任何已登录的用户账号相联系,没有用于验证的信任凭证(用户名、域和密码),而该信任凭证(credential)用于网络上其他计算机的验证,这样以 Local System 账号运行的进程就不能访问网络资源,如网络共享。
在 Local System 账号环境运行的进程和普通进程的不同之处在于:
1) 注册表的 HKEY_CURRENT_USER 键是和缺省用户而不是当前用户相联系的,要访问其他用户的配置文件,需要先模拟该用户,然后再访问 HKEY_CURRENT_USER 。
2) 可以打开 HKEY_LOCAL_MACHINE\SECURITY 注册表键
3) 该进程不能访问网络资源,如共享、管道,因为它不能提供信任凭证,而只能使用空连接。 在 HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters 处的 NullSessionPipes 和 NullSessionShares 的值指明了可以被空连接访问的管道和共享。
或者也可以设置 RestrictNullSessAccess = 0,以允许空连接的用户访问该计算机上的所有管道和共享。(呵呵,这个是个安全隐患呦,可不要干呀。上边两个值最好也全都设成空)
4) 不能和其他程序共享对象,除非在创建对象时设置 DACL 允许用户访问。
5) 如果启动命令行提示符来运行批处理文件,用户可以按 Ctrl+C 来终止批处理的运行,并且用户就获得了一个 Local System 权限的 shell。LocalService Account
The LocalService account is a predefined local account used by the service control manager. This account is not recognized by the security subsystem, so you cannot specify its name in a call to the LookupAccountName function. It has minimum privileges on the local computer and presents anonymous credentials on the network. The name of the account in all locales is NT AUTHORITY\LOCALSERVICE. This account does not have a password. If you specify the LocalService account in a call to the CreateService function, any password information you supply is ignored.
The user SID is created from the SECURITY_LOCAL_SERVICE_RID value.
The LocalService account has its own subkey under the HKEY_USERS registry key. Therefore, the HKEY_CURRENT_USER registry key is associated with the LocalService account.
The LocalService account has the following privileges:
- SE_ASSIGNPRIMARYTOKEN_NAME (disabled)
- SE_AUDIT_NAME (disabled)
- SE_CHANGE_NOTIFY_NAME (enabled)
- SE_CREATE_GLOBAL_NAME (enabled)
- SE_IMPERSONATE_NAME (enabled)
- SE_INCREASE_QUOTA_NAME (disabled)
- SE_SHUTDOWN_NAME (disabled)
- SE_UNDOCK_NAME (disabled)
- Any privileges assigned to users and authenticated users
Windows 2000: This account is not supported.
NetworkService AccountThe NetworkService account is a predefined local account used by the service control manager. This account is not recognized by the security subsystem, so you cannot specify its name in a call to the LookupAccountName function. It has minimum privileges on the local computer and acts as the computer on the network. The name of the account in all locales is NT AUTHORITY\NETWORK SERVICE. This account does not have a password. If you specify the NetworkService account in a call to the CreateService function, any password information you supply is ignored.
A service that runs in the context of the NetworkService account presents the computer's credentials to remote servers. By default, the remote token contains SIDs for the Everyone and Authenticated Users groups. The user SID is created from the SECURITY_NETWORK_SERVICE_RID value.
The NetworkService account has its own subkey under the HKEY_USERS registry key. Therefore, the HKEY_CURRENT_USER registry key is associated with the NetworkService account.
The NetworkService account has the following privileges:
- SE_ASSIGNPRIMARYTOKEN_NAME (disabled)
- SE_AUDIT_NAME (disabled)
- SE_CHANGE_NOTIFY_NAME (enabled)
- SE_CREATE_GLOBAL_NAME (enabled)
- SE_IMPERSONATE_NAME (enabled)
- SE_INCREASE_QUOTA_NAME (disabled)
- SE_SHUTDOWN_NAME (disabled)
- SE_UNDOCK_NAME (disabled)
- Any privileges assigned to users and authenticated users
Windows 2000: This account is not supported.
转载于:https://blog.51cto.com/virtuallife/707277
116
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
