Tuesday, November 3, 2009

What is the difference between NETWORK SERVICE and NETWORK accounts?

Quite a bit actually. Although, this is a fair question and an admin in a hurry could assign the wrong one without too much difficulty.

Microsoft explain the purpose of the first:

"By default, Microsoft Internet Information Services (IIS) 6.0 on Windows Server 2003 runs ASP.NET applications in application pools that use the NT AUTHORITY\Network Service account identity. This account is a least privileged machine account with limited permissions. An application that runs using this account has restricted access to the event log, registry, and file system. The account does have network credentials, which means you can use it to access network resources and remote databases by using Windows authentication."

This is the Service account identity you see when adding security to a folder of a web
application. Listed above this account is 'Network account identity' which serves a different
purpose as described below.


SID: S-1-5-2
Name: Network
-------------
Description: A group that includes all users that have logged on through a network connection.
Membership is controlled by the operating system.


SID: S-1-5-20
Name: NT Authority
------------------
Description: Network Service

...And what is the SID?
A security identifier (SID) is a unique value used to identify a security principal or security group in Windows operating systems. Their values remain constant across all operating systems. At times the SID will display and not be replaced by the security principal.

So, choose the wrong account and your web application will likely not work as advertised.


References:

How To: Use the Network Service Account to Access Resources in ASP.NET

Well-known security identifiers in Windows operating systems

Security Watch - Subjects and Security Principals

1 comment:

Unknown said...

This will clear up a lot of confusion for future installs.
thanks!