In short, you only want to provide this right to the accounts that need it - by default, that's the Local System, Local Service and Network Service accounts, because those are what services run under by default.
If you wish to run a service under a different security context (like a service account you create), you would want to grant that service account Log on as a Service rights so that it could run your service without the need for a user to be logged in. The article you link provides IIS and ASP.NET as examples where additional accounts are granted this right; it applies to third-party programs that run as services as well.
If you don't want to you run every service as SYSTEM or NetworkService, you would setup service accounts for individual services and assign them this Log on as a Service right. The main advantage of using service accounts in this way is that if your service is compromised, it's running under the security context of the account running it, rather than the SYSTEM-level security context that SYSTEM and NetworkService have.
沒有留言:
張貼留言
注意:只有此網誌的成員可以留言。