The meaning of “Log on as a Service” and when to use the “Log on as a Service” policy?
In this article, we will learn what “Log on as a Service" is, when and where to use it, and how to enable it.
Let’s get started!
What is Log on as a service?
According to Microsoft documentation, log on as a service is a user permission right that allows an account to launch network services or programs that operate on a device whether or not the user is logged on.
The security context from which this service is executed determines if the service can access local or network resources. By default, services run under Local System, Local Service, and Network Service accounts.
Local System, Local Service, and Network Service accounts are the predefined accounts in a Windows operating system. When you install a service using a Service User account, you need to specify the user name and password of the account. The reason behind it is the built-in CreateService function that is called during this operation. It modifies the configuration information for the chosen service in the service control manager database.
How to enable Log on as a service?
The Log on as a service permission is granted through a domain policy or a local group policy.
If you want to enable Log on as a service for a local group policy, follow these steps:
1. Log in with an administrator account to the computer you want to provide the Log on as Service permission.
2. From Administrative Tools, click Local Security Policy.
3. Expand Local Policy and click User Rights Assignment.
4. Right-click Log on as a service and select Properties.
5. Click Add User or Group option to add the new user.
6. In the Select Users or Groups dialogue, find the user you wish to add and click OK.
How to install a service with Log on as a service policy?
To install a service, you can use the “Log on as a Service” policy.
For this scenario, we will use Advanced Installer’s built-in Service functionality to create a package installer with a service.
To see how to achieve that, follow these steps:
1. Go to Service Page -> Accounts
2. Once there, under the Account, you can specify: Start Name (the user account under which your service will run) and Password (the password for the service user account).
3. Set "Log on as a Service'' policy. When this option is checked, the Log on as a Service policy is set for the specified user account.
The above steps apply to an existing user (present on the machine). If you want to install a service for a new user created by your installer package, follow our full guide on How to install a service for a custom userhere.
When and where to use Log on as a Service?
If you don't want to run every service as a System, Network, or Local service account, you need to set up the service user account, and assign them the Log on as a Service right.
The main benefit of using Service Accounts is the low risk of a security breach. If at some point your service is compromised, attackers will be unable to access its resources because they are protected by the security context of the account running it - rather than the SYSTEM-level security context that SYSTEM and NetworkService accounts have.
That’s why the best practice is to assign service install permissions only to accounts that services run under, and to run individual services under service accounts that are configured using the principle of least privilege (only give them the permissions they need to run; don't give them admin or SYSTEM privileges).
When do you think it’s best to use the “Log on as a Service” policy? Have you tried to add it to your package installer?
Let us know in the comment section below!
Subscribe to Our Newsletter
Sign up for free and be the first to receive the latest news, videos, exclusive How-Tos, and guides from Advanced Installer.