windows 中的服务隔离在windows vista 以及server 2008之后就有了,可以让管理员控制本地资源的使用(如文件、注册表等等)。之前windows版本中,系统内置了一些高权限的服务账号,大家所熟悉的有Local System,Network,LocalService
为了最小化权限使用,通常我们需要创建账号来赋予最小权限,然后配置服务以这个账号运行,但是如果服务较多,那么有许许多多的账号要维护,而且如果你有严格的密码策略的话,比如定期要更改服务账号的密码,那真是头疼。
window 中的Service SID(另外一个称呼是Virutal Account) 可以针对每个服务启用,它可以让管理员针对Service SID来隔离服务使用的资源。同时不必维护服务账号的密码。Service SID 账号访问网络资源是使用的凭据是计算机账号,DomainName\ComputerName$.
创建Service ID 可以使用
sc sidtype <service_name> unrestricted
sc sidtype <service_name> restricted
当然也可以使用sc qsidtype <serviec_name>来查询Service SID ,我这里针对微软的SCOM Agent health service 服务进行查询。
sidtype 有三种
- None (0x0) – the service will not have a per-service SID. 服务默认设置为none
- Unrestricted (0x1) – the service has a per-service SID 服务有一个service SID
- Restricted (0x3) – the service has a per-service SID and a write-restricted token.服务有一个Service SID,同时加上了写保护 标签。
当服务配置使用Service SID时(无论restricted 或unrestricted) ,Service SID是一串SHA1 Hash.如果想看这个SID的具体值,可以使用
sc showsid <servicename>
然后我们看看wsearch 的执行账号配置为本地系统账号
那这个Service SID起了什么作用呢,拿SQL Server为例,SQL Server 2008 r2 之前的版本会默认让local system 账号放在数据库sysadmin 中,但是sql server 2012 之后就不放了,那么之前如果你有个服务运行在local system 账号,比如我们的SCOM监控服务访问SQL应该是没有权限问题的,但是在sql server 2012 上,你可能需要额外设置,因为这个时候会没有权限。这个时候我假设你给SCOM监控客户端服务启用了Service SID ,那么会在healthservice的服务进程上就会增加 nt service\healthservice 的令牌,这个时候如果你单独在SQL中创建nt service\healthservice 的登录,并赋予相应权限,那么这个healthservice 虽然是运行在local system 账号,但是他却能访问sql了。然后你可能还有另外的其他服务B也是以local system 账号运行,但是这个sql 的权限却只给了healthservice 服务,这个服务B却不能访问SQL。(之前在没有Service SID 的时候,你可能一股脑把权限开给了local system ,然后所有使用local system 登陆的服务都有了访问SQL 的权限)。
那么这个Service SID的实战作用在哪里呢?这就是这篇文章的终极目的。如果你用SCOM 监控SQL,那么更高版本的SQL Server的执行账号管理的问题,你可能已经很头痛了。使用service SID 可以轻松解决这个问题,然后还有个人专门另外创建了管理包,可以监视有SQL Server的机器上的healthservice 的Service SID有没有开启,然后可以用恢复任务来开启(这个恢复任务默认是禁用的)。然后还可以监控healthservice 的SID账号有没有数据库的权限。参考这个链接:
https://gallery.technet.microsoft.com/SQL-Server-RunAs-Addendum-0c183c32#content
windows内置系统账号权限及作用参考:
- LocalService account (preferred)
- Name:
NT AUTHORITY\LocalService - the account has no password (any password information you provide is ignored)
- HKCU represents the LocalService user account
- has minimal privileges on the local computer
- presents anonymous credentials on the network
- SID: S-1-5-19
- has its own profile under the HKEY_USERS registry key (
HKEY_USERS\S-1-5-19)
A limited service account that is very similar to Network Service and meant to run standard least-privileged services. However, unlike Network Service it
has no ability to access the network as the machineaccesses the network as an Anonymous user. - Name:
- NetworkService account
NT AUTHORITY\NetworkService- the account has no password (any password information you provide is ignored)
- HKCU represents the NetworkService user account
- has minimal privileges on the local computer
- presents the computer‘s credentials (e.g.
MANGO$) to remote servers - SID: S-1-5-20
- has its own profile under the HKEY_USERS registry key (
HKEY_USERS\S-1-5-20) - If trying to schedule a task using it, enter
NETWORK SERVICEinto the Select User or Groupdialog
Limited service account that is meant to run standard least-privileged services. This account is far more limited than Local System (or even Administrator) but still has the right to access the network as the machine (see caveat above).
- LocalSystem account (dangerous, don‘t use!)
- Name:
.\LocalSystem(can also useLocalSystemorComputerName\LocalSystem) - the account has no password (any password information you provide is ignored)
- SID: S-1-5-18
- does not have any profile of its own (
HKCUrepresents the default user) - has extensive privileges on the local computer
- presents the computer‘s credentials (e.g.
MANGO$) to remote servers
- Name:
https://blogs.technet.microsoft.com/voy/2007/03/22/per-service-sid/
https://support.microsoft.com/en-us/kb/2620201
http://thoughtsonopsmgr.blogspot.com/2014/09/sql-mp-challenge-run-as-accounts.html