1
00:00:06,420 --> 00:00:14,560
In the Windows operating system applications sometimes require administrative access to local land network

2
00:00:14,560 --> 00:00:15,640
resources.

3
00:00:15,670 --> 00:00:22,760
In the past it was common to give this application administrative account permissions to the resources.

4
00:00:22,780 --> 00:00:31,780
For example Microsoft sequel server needs to manage its databases and it might need local administrative

5
00:00:31,960 --> 00:00:40,360
access to do this in a distributed sequel solar environment with multiple sequel servers each hosting

6
00:00:40,420 --> 00:00:42,320
numerous databases.

7
00:00:42,430 --> 00:00:47,080
It might need administrative access to all of them for that reason.

8
00:00:47,350 --> 00:00:55,150
An administrator needs to create an account for a sequel server that belongs to the domain admins group

9
00:00:55,450 --> 00:01:03,790
or at least the computers local administrators group with a password that is configured to not ever

10
00:01:03,790 --> 00:01:04,830
expire.

11
00:01:04,840 --> 00:01:13,750
Administrators need to remember to periodically change the password manually on every server service

12
00:01:14,050 --> 00:01:15,550
under which it runs.

13
00:01:15,550 --> 00:01:25,190
This type of account introduces possible security issues and if compromised can endanger an entire domain.

14
00:01:25,270 --> 00:01:32,740
Therefore because of the possible security issues you could consider running the program a service by

15
00:01:32,740 --> 00:01:40,360
using a built in local account Windows operating systems have three built in local accounts to allow

16
00:01:40,360 --> 00:01:44,100
program and servers access of resources.

17
00:01:44,140 --> 00:01:51,200
These three accounts are tied to the individual computer rather than a user account.

18
00:01:51,250 --> 00:01:56,170
It is connected to a local computer as follows local system.

19
00:01:56,170 --> 00:02:02,800
It has extensive privileges on the local system and acts as the computer on the network.

20
00:02:02,800 --> 00:02:06,850
It is a very high privilege built underground.

21
00:02:07,000 --> 00:02:13,740
The name of their counties and anti authority backslash system and local service.

22
00:02:13,750 --> 00:02:21,790
This has the same level of access to resources and objects as members of the local user group.

23
00:02:21,790 --> 00:02:26,040
This limited access helps protect the system.

24
00:02:26,050 --> 00:02:34,600
If individual services or processes are compromised services run and other local service account will

25
00:02:34,600 --> 00:02:40,480
access network resources as new session without any credentials.

26
00:02:40,570 --> 00:02:49,390
The name of the county's anti authority backslash local service and the sole type of such accounts are

27
00:02:49,690 --> 00:02:51,270
network service.

28
00:02:51,280 --> 00:03:00,310
It has more access to resources and objects than members of the user group have such as the local service

29
00:03:00,310 --> 00:03:07,060
account services that run as a network service account access network resources.

30
00:03:07,060 --> 00:03:15,580
By using the credentials of the computer account the name of the account is empty authority backslash

31
00:03:15,940 --> 00:03:17,370
network servers.

32
00:03:17,380 --> 00:03:24,660
Now you should be aware that using the local system account still might compromise security.

33
00:03:24,790 --> 00:03:29,340
Considering their higher level privileges under which it operates.

34
00:03:29,350 --> 00:03:36,760
Therefore you should take extra care when using this account for program Access.

35
00:03:36,970 --> 00:03:44,110
Alternatively the local service account might not have enough privileges to access all the resources

36
00:03:44,410 --> 00:03:46,360
required by the program.

37
00:03:46,420 --> 00:03:53,170
If the program needs resources on other computers you could use the network service account.

38
00:03:53,410 --> 00:04:00,440
However you must add the machine account group in the domain or individually.

39
00:04:00,460 --> 00:04:09,490
On the other computers in all cases you should make a thorough security analysis to ensure you consider

40
00:04:09,580 --> 00:04:12,700
all aspects of using the service account.

41
00:04:12,700 --> 00:04:16,740
Next up will be talking about challenges of using the service accounts.