A service, like any process, has a primary security identity that determines the granted access rights and privileges for local and network resources. This security identity, or security context, also determines the potential the service has for damaging local and network resources.

The security context for a Microsoft Win32 service is determined by the logon account that is used to start the service. This section discusses programming issues and best practices relating to the service logon account used by Win32 services, with a focus on directory-enabled services. This section includes the following topics:

• An overview of service logon accounts and security context programming issues for a Win32 service.
• Guidelines for selecting a logon account for a Win32 service.
• Setting up a service's user account.
• Installing a service on a host computer and specifying the service logon account.
• Granting the service's user account the logon as a service right on the host computer.
• Detecting at installation time whether the service instance is being installed on a domain controller.
• Setting and maintaining ACEs and group memberships to ensure that the system will grant the running service access to the necessary local and network resources.
• Changing the password on a service's user account, and at the same time updating the password registered with the service control manager on each host server on which the service is installed.
• Maintaining service principal name (SPN) registration on the directory object associated with the logon account of each instance of your service. SPNs enable clients to authenticate a service using Kerberos mutual authentication. For more information, see Mutual Authentication Using Kerberos.
• Converting domain account name formats, for example, converting a distinguished name to "<domain>\<username>" format, and vice versa.

Send comments about this topic to Microsoft

Build date: 10/9/2008