Local System : Completely trusted account, moreso than the administrator account. There is nothing on a single box that this account can not do and it has the right to access the network as the machine (this requires Active Directory and granting the machine account permissions to something)"
http://msdn.microsoft.com/en-us/library/aa274606(SQL.80).aspx (Preparing to install SQL Server 2000(64 bit) - Creating Windows Service Accounts) tells:
"The local system account does not require a password, does not have network access rights, and restricts your SQL Server installation from interacting with other servers."
http://msdn.microsoft.com/en-us/library/ms684190(v=VS.85).aspx (LocalSystem Account, Build date: 8/5/2010) tells:
"The LocalSystem account is a predefined local account used by the service control manager. This account is not recognized by the security subsystem, so you cannot specify its name in a call to the LookupAccountName function. It has extensive privileges on the local computer, and acts as the computer on the network. Its token includes the NT AUTHORITY\SYSTEM and BUILTIN\Administrators SIDs; these accounts have access to most system objects. The name of the account in all locales is .\LocalSystem. The name, LocalSystem or ComputerName\LocalSystem can also be used. This account does not have a password. If you specify the LocalSystem account in a call to the CreateService function, any password information you provide is ignored"
http://technet.microsoft.com/en-us/library/ms143504.aspx (Setting Up Windows Service Accounts) tells:
Local System is a very high-privileged built-in account. It has extensive privileges on the local system and acts as the computer on the network. > The actual name of the account is "NT AUTHORITY\SYSTEM".
Well-known security identifiers in Windows operating systems ( http://support.microsoft.com/kb/243330 ) does not have any SYSTEM at all (but only "LOCAL SYSTEM")
My Windows XP Pro SP3 (with MS SQL Server setup, developing machine in workgroup) does have SYSTEM but not LocalSystem or "Local System".
QUESTIONS:
Can somebody clear out this mess?
It is possible to burn hours after hours, day after day reading MS docs just to collect more and more contradictions and misunderstandings...
1) Has LocalSystem rights to access the network or not? What is the mechanism?
2) Are the SYSTEM and the LocalSystem (and the "Local System") synonyms?
Why they have been introduced?
What are the differences between SYSTEM and Local System
----------
Update1:
Hi, sysamin1138!
Your answers add even more confusion if to compare them to observed reality, for ex., to the fact that Fresh installed or workgroup Windows XP Pro SP3 has only SYSTEM (but not LocalSystem).
Sysadmin138 wrote:
- "Different security principles for similar problems, which allow a bit of granularity in your security design. One is local only, the other has domain visibility."
Does this phrase mean that LocalSystem is added upon joining computer to domain?
Should it be understood that SYSTEM is for "local"/internal and workgroup access (computer identification) and LocalSystem for identification of computer in domain?
----------
Update2: same workgroup Windows XP Pro SP3 if not specified otherwise
Hi, Sysadmin1138, In your Edit
"It's just that in that case SYSTEM and NT Authority/SYSTEM are equivalent in ability",
how are they (NT Authority/SYSTEM and SYSTEM) related to LocalSystem? Did not you err one of them with LocalSystem?
Greg Askew,
"Note that if you configure a service to logon as .\LocalSystem, it will still appear as logged on as NT AUTHORITY\SYSTEM in Process Explorer or System in Task Manager"
This is a little be closer. I cannot choose LocalSystem in either NTFS/share premissions, RunAs list. But in services.msc the service "SQL Server (MS SQL SERVER)" --> double-click or rc --> Properties ---> tab "Logo on as:" has radiobuttom "Local System account". This service then appears in Windows Task Manager as SYSTEM
Greg Askew and sysadmin1138,
"NT AUTHORITY" or any "xxx\" does not appear anywhere. All account names are single-labeled. Note it is Windows XP workgroup computer. Though I run an instance of ADAM (Active Directory Application Mode).
I guess "NT AUTHORITY" is from that famous "security subsystem" which is absent in workgroup(?) Would "NT Authority" appear if I join computer to a domain?
NTFS/share permission list has 2 columns:
- "Name(RDN)" colum having single-label account names
- "In Folder" column having either MyCompName (eg, for Administrator, Administrators, ASPNET, SQLServerReportServerUser$MyCompName$MSRS10_50.MSSQLSERVER, etc.) or blank (e.g., for ANONYMOUS LOGON, Authenticated Users, CREaTOR GROUP, CREAtOR OWNER, NETWORKING SERVICES,SYSTEM, etc.).
The former ones have also synonyms for coding as "MyCompName\xxxx" or ".\xxx" (i.e.
- SQLServerReportServerUser$MyCompName$MSRS10_50.MSSQLSERVER =
- = MyCompName\SQLServerReportServerUser$MyCompName$MSRS10_50.MSSQLSERVER
- = .\SQLServerReportServerUser$MyCompName$MSRS10_50.MSSQLSERVER)
Can you synchronize your answers in context of http://blogs.msdn.com/aaron_margosis/archive/2009/11/05/machine-sids-and-domain-sids.aspx (Machine SIDs and Domain SIDs)?
----------
Update3: same workgroup Windows XP Pro SP3 if not specified otherwise
Hi, Sysadmin1138,
And how to see edit-history? and dereference SID?
Breakthrough! cacls shows "NT Authority\SYSTEM"...
Though for services it is all vice versa: all services show under "Log On" tab
- the radiobutton "Local System account" which results in SYSTEM in WIndowsTaskManager and
- the "This account" radiobutton --> btn "Browse..." that doesn't show the SYSTEM account in the list
Sorry for your time, but I couldn't get yet to any LocalSystem in Windows XP! LocalSystem does not show up anywhere in XP! but the problem that all MS docs dwell only on LocalSystem...
BTW, http://support.microsoft.com/kb/120929 ("How the System account is used in Windows") tells that SYSTEM is for internal to computer logging of services, and surprise-surprise "APPLIES TO" all Windows from NT Workstation 3.1 to Windows Server 2003 except Windows XP(?!).
Is Windows XP some anomaly in Windows line?
----------
Update4: same workgroup Windows XP Pro SP3 if not specified otherwise
I couldn't detect any LocalSystem (only "local system" mentioned in text to radiobutton of services LogOn)in Windows XP though all MS docs usually dwell on LocalSystem only but not SYSTEM. I marked this question as answered having understood for me that Windows XP is anomaly/exception in Windows OS-es having some GUI usability bug and I should guess how a scenario would have appeared in other Windows (with the help of answer(s) here)
If it is not correct, please be free to prove/share another point of view
Update5: same workgroup Windows XP Pro SP3 if not specified otherwise
Venceremos!
I found "Local System" in Windows XP! It is shown in "Log On As" column in services.msc!
[wiped large answer, summarizing for clarity. See edit-history for sordid tale.]
There is a single well-known SID for the local system. It is S-1-5-18, as you found from that KB article. This SID returns multiple names when asked to be dereferenced. The 'cacls' command-line command (XP) shows this as "
NT Authority\SYSTEM
". The 'icacls' command-line command (Vista/Win7) also shows this as "NT Authority\SYSTEM
". The GUI tools in Windows Explorer show this as "SYSTEM
". When you're configuring a Service to run, this is shown as "Local System
".Three names, one SID.
In Workgroups, the SID only has a meaning on the local workstation. When accessing another workstation, the SID is not transferred just the name. The 'Local System' can not access any other systems.
In Domains, the Relative ID is what allows the Machine Account access to resources not local to that one machine. This is the ID stored in Active Directory, and is used as a security principle by all domain-connected machines. This ID is not S-1-5-18. It is in the form of S-1-5-21[domainSID]-[random].
Configuring a service as "Local Service" tells the service to log on locally to the workstation as S-1-5-18. It will not have any Domain credentials of any kind.
Configuring a service as "Network Service" or "NT Authority\NetworkService" tells the service to log on to the domain as that machine's domain account, and will have access to Domain resources. The Windows XP Service Configurator does not have the ability to select "Network Service" as a login type. The SQL Setup program might.
"Network Service" can do everything "Local System" can, as well as access Domain resources.
"Network Service" has no meaning in a Workgroup context.
In short:
NT Authority\System
=Local System
=SYSTEM
=S-1-5-18
If you need your service to access resources not located on that machine, you need to either:
"Most services run in the security context of the local system account (displayed sometimes as SYSTEM and other times as LocalSystem)."
"...The local system account is the same account in which core Windows user-mode operating system components run, including the Session Manager (smss.exe), the Windows subsystem process (csrss.exe), the Local Security Authority process (lsass.exe), and the Logon process (winlogon.exe)."
"...From a security perspective, the local system account is extremely powerful - more powerful than any domain or local account."
-- Windows Internals, 5th Edition (page 288 - 289).
Note that if you configure a service to logon as .\LocalSystem, it will still appear as logged on as NT AUTHORITY\SYSTEM in Process Explorer or System in Task Manager.
In Windows 7 a service set to Log on as: "Local System" account has the User Name "SYSTEM" in the Task Manager Processes tab.