| LocalSystem account in Windows 2000/XP
Author : Pavel <email@example.com>
Here is a couple of my observations on Windows 2000/XP LocalSystem account.
Originally (NT4) the paradigm of this account was declared by MS as the
1. This account doesn't require athentication on the local computer.
2. It has unlimited rights on the local computer.
3. No network resources can be accessed using this account.
Now, that's what we see in Windows 2000:
1. LocalSystem is still the main account under which the most of system
2. LocalSystem has unlimited privileges on Active Directory objects. It
true for all of the partitions located in the AD database. So, any process
running under LocalSystem on any of domain controllers can easily crash
the whole forest just by erasing Schema or Configuration objects. And
becomes not funny, you need to control every single backup operator as
well as patch thoroughly every single buffer overflow vulnerabilities
system services and apps.
3. Here is another surprise coming. Now the LocalSystem account is able
access other computer's shared resources. Basically, its rights are equal
to ones of "Users" or "Domain Users". So you don`t
need to be
authenticated by domain at all to access domain resources shared
for "Users" only.
Has anything changed in Microsoft's vision of the System account?
What are documented security features of this account?