28 Mar 2013

Service Log on Account - Local System, Network Service or Domain User Account

Service Log On account is an important yet often overlook configuration. Just as the account you login to your windows workstation determines your authority over resources, the service log on account defines what the service is capable of accessing.

Windows Service
Windows Services are long-running executable applications that run in their own Windows sessions. They are designed not to require user intervention hence do not show any user interface. Those working with Microsoft Dynamics Ax actually work directly with a few Windows Services. The Application Object Server (AOS) of Microsoft Dynamics Ax is implemented as a Windows Service. The database server be it Microsoft SQL Server or Oracle runs as Window Service.

You will find the list of Window Services installed on your computer from the Services Management Console. It is found under Administrative Tools > Services. The following image shows the Services Management Console.



Log On Account
When we configure a distributed system with Windows Services, Service Log On account is one thing we should pay ample attention to. We do not usually spend effort on this for a standalone all-in-one installation we usually have in our laptop for demo and some development. When the pieces of the software are installed over a few servers however, there will be resources over the network that we need the Windows Service to access.

Microsoft Dynamics Ax AOS for example could be installed on a separate server from the Application files. This is a common model in production environment where more than one AOS is necessary. In this case, the Service Log On Account for these AOS will need rights to the application files over the network. On top of that, the AOS gains access to the database server using this credential too. The rights over database objects are determined by this Log On account.

Apart from that, we would not want these services to interfere with resources within the server itself for security reason. Services for information system such as those database servers are rather prone to attack. It is important that the account that starts this type of Windows Service has sufficient rights over the resources it requires and no more than that.

The following figure illustrates an example of Service Log On Account setting. This is found on the Log On tab of the Service Property dialog box.



Account Options
You may choose among three types of accounts to start a Windows Service; the Local System Account, the Network Service Account, or a dedicated Domain User Account.

Local System Account
The local system account is a Windows operating system account that has full administrative rights on the local computer but has no network access rights. If your Windows Service interacts with network resources, this account is not an option. Moreover, this account has too many privileges on local computer. It is not recommended for use with Windows Services we are dealing with.

Network Service Account
The Network Service account is a special built-in system account that is similar to an authenticated user account. This account has the same level of access to system resources and objects as other members of the Users group. Services that log on under this account will use the credentials of the computer account to access network resources. This includes accessing database. You have the option to set database access rights using computer account only.

Apart from the issue in defining database access, this account has too many privileges for the services we are discussing here since it inherits the rights from the Users group.

Domain User Account
Domain user account is an account we create manually in the Active Directory. Privileges could be configured exactly to our needs. We may define resources rights across servers. We could even configure database access specific to the need of the Windows Service.

If we have multiple instances of Dynamics Ax AOS serving different purposes for example, we may have different accounts for the AOS services. This allows us to give rights to the correct set of application files and database only. We will not have to worry even if different teams of people are working on the instances.

This is the most widely used account for starting such service under production environment. It fulfills the requirement of giving all the rights required and not more.

Conclusion
Decision on what account to use very much depends on the environment. However, the general rule of thumb is to have domain user account for services such as Dynamics Ax AOS, SQL Server, SQL Server Agent, etc. in production environment. The flexibility and independence of this account type is helpful.

When you assign a user account to start a Windows Service, additional rights required for this purpose are assigned automatically. This is the case for Dynamics Ax AOS service. SQL Server services on the other hand require more setting than other services. The Log On account for them should be assigned during installation or through the SQL Server Configuration Manager in order to have those setting performed.

No comments:

Create number sequence in D365 FO

Create the data type. Add code in the loadModule method of the appropriate NumberSeqModule subclass. Add a method to the module’s paramet...