SECURE SYSTEMS BY RUNNING SERVICES UNDER LESS PRIVILEGED ACCOUNTS

One of the ways that Windows Server 2003 provides better security is by running services under less privileged accounts when appropriate. For example, in previous versions of Windows, many system services ran under the highly privileged LocalSystem account. Services compromised while running under this account could do just about anything.

Windows Server 2003 introduced two less privileged accounts: Local Service and Network Service. Both accounts have only slightly higher privilege levels than a typical user.

You can use Local Service for local system services that don't need full access to the system, and you can employ Network Service for network-based services. Network Service emulates a computer account in a domain.

By default, Windows Server 2003 limits both services in what they can do and what they can access. These restrictions help reduce the amount of damage that an intruder can inflict with a compromised service.

Windows Server 2003 also reduces the number of services started by default, which directly results in a more secure system. When a system runs fewer services, it gives potential hackers fewer options to compromise.