Don't add service accounts to the local Administrators group

by Mitch Tulloch [Published on 10 April 2012 / Last Updated on 4 Aug. 2011]

Why you should never add service accounts to the local Administrators group on a computer.

An admin recently asked me whether it's a good idea to add local service accounts to the local Administrators group on a server to ensure these service accounts have sufficient privileges to enable the server application to run properly.  He was wondering if there could be a security risk if you do this.

The answer is: Don't do this! Before Windows XP and Windows Server 2003, the only built-in service account was the LocalSystem account which has full administrator privileges.  In order to reduce the attack surface of services running on the computer, Windows XP and Windows Server 2003 introduced two new built-in service accounts: LocalService and NetworkService.  These two accounts have much less privileges than LocalSystem, so if a service using one of these accounts gets compromised, the damage that the attacker can do will be considerably less than if the service had been running under the LocalSystem context.

Bottom line: Service accounts should have the absolute minimum privileges needed in order for the server application to run.  Whenever possible, use one of the lower-privileged built-in service accounts: LocalService or NetworkService.  If you must create a new service account, don't make it a member of the local Administrators group on the server as this will give your service account too many privileges, potentially increasing the attack surface of your server.

Mitch Tulloch is a seven-time recipient of the Microsoft Most Valuable Professional (MVP) award and widely recognized expert on Windows administration, deployment and virtualization. For more tips by Mitch you can follow him on Twitter or friend him on Facebook.

 

See Also

Featured Links