Admin Tip #317: Windows NT service running in LocalSystem account context

Hits: Failed to execute CGI : Win32 Error Code = 3


Windows NT services run as LocalSystem by default. LocalSystem is a predefined local account and any service running under LocalSystem:

Services are generally non-interactive, that is they are a console application which runs whenever the operating system is running. If a service opens a command window and runs a script, anyone logged onto the console could press Ctrl+C and terminate the script, leaving the command shell open with LocalSystem permissions. From a security perspective, be cautious with the AutoExNT service which is a service which allows you to run a batch file, Autoexnt.bat, when you boot NT. Srvany is another method to convert an application into a service. Just be aware that the service opens up security exposures if it uses the command shell.

One should review the security context of every service. Any hack which takes control of the service has the access rights of the account the service is running as. Some shops have sql server running as local administrator or even as a domain administrator account. Consider the security implications if one leaves such the sql sa account without a password (Microsoft's default). In that case one gains access to sql with a powerful or very powerful account and using sql shell commands, one can add a local admin account (if sa is running as local admin) or domain admin account (if sa is running as domain admin) using net user and net group