Thread: PostgreSQL service account on Windows 7: Use a virtual account
Hi all (This is really about the EDB installer, but we don't have anywhere better to discuss it than -general, so): The PostgreSQL installer now uses the NETWORKSERVICE account on Windows by default (as of 9.2), instead of creating a "postgres" account with username and password. Which is a big improvement to usability. I recently found out that on Windows 7 / win2k8 R2 and newer there's now a better alternative available: virtual accounts and managed service accounts. They combine the benefit of avoiding all that password management cruft with the ability to run services in less-privileged, better isolated accounts. See "New Account Types Available with Windows 7 and Windows Server 2008 R2" in http://msdn.microsoft.com/en-au/library/ms143504.aspx particularly "virtual accounts". If that looks a lot like a UNIX "system account", you're not mistaken. It looks like Microsoft have finally figured out that it'd be nice not to need a password for a background system service and to have to then store that password somewhere on the same system. It may be worth adopting this when the installer detects a Windows 7 / Win2k8 R2 or newer system - just create an account like: NT Service\PostgreSQL$EDB-9.4-x86 (or whatever name will get rid of conflicts) and use that instead of NETWORK SERVICE. -- Craig Ringer http://www.2ndQuadrant.com/ PostgreSQL Development, 24x7 Support, Training & Services
On Thu, Sep 11, 2014 at 10:25 PM, Craig Ringer <craig@2ndquadrant.com> wrote: > The PostgreSQL installer now uses the NETWORKSERVICE account on Windows > by default (as of 9.2), instead of creating a "postgres" account with > username and password. Which is a big improvement to usability. Using NETWORKSERVICE is not cool as it is created by the system and may be shared by some other processes. I am not sure about the security implications but this sounds weird and should be avoided if possible. > I recently found out that on Windows 7 / win2k8 R2 and newer there's now > a better alternative available: virtual accounts and managed service > accounts. They combine the benefit of avoiding all that password > management cruft with the ability to run services in less-privileged, > better isolated accounts. Makes sense to use it. > It may be worth adopting this when the installer detects a Windows 7 / > Win2k8 R2 or newer system - just create an account like: > > NT Service\PostgreSQL$EDB-9.4-x86 By looking here: http://msdn.microsoft.com/en-us/library/windows/desktop/bb545671%28v=vs.85%29.aspx You'd need to be sure as well that there are necessary privileges in ALL SERVICES: at least SeServiceLogonRight and optionally SeNetworkLogonRight for network stuff. I guess that it is as well necessary to be careful about the platform version and to have a fallback mechanism to NETWORKSERVICE if platform version is rather old (older than 6.1 for Win2k8 R2 and Win7?!) or if necessary privileges are not present but well you are aware of that already :) -- Michael
On 09/17/2014 05:35 AM, Michael Paquier wrote: > On Thu, Sep 11, 2014 at 10:25 PM, Craig Ringer <craig@2ndquadrant.com> wrote: >> The PostgreSQL installer now uses the NETWORKSERVICE account on Windows >> by default (as of 9.2), instead of creating a "postgres" account with >> username and password. Which is a big improvement to usability. > Using NETWORKSERVICE is not cool as it is created by the system and > may be shared by some other processes. I am not sure about the > security implications but this sounds weird and should be avoided if > possible. (Resurrecting this discussion as I missed your reply) Using NETWORK SERVICE is not ideal. Unfortunately, prior to Windows 7 the platform doesn't have a sane way to create service accounts. Users are expected to create a service account with a password, know what that password is, and be able to supply that password again when later required by other installers. The alternative, which I advocated in the past, is to generate a random password to use as the service account password, and store that service account password in the Registry using key only readable by the Administrators group and SYSTEM user. So our installer(s) could read the service account password when required and the user doesn't have to deal with the WTFery of having a system "postgres" password that's different to the postgres user account password. This is more secure than using NETWORK SERVICE, not less, but I wasn't able to convince anyone that we should do it. Using NETWORK SERVICE is less bad than what we had before - and users can still create a service account if they want, the default just changed to one that won't cause endless install problems and confusion. At this point I think we can just not care for older Windows versions and focus on doing it right on Windows 7 and above, which has sensible passwordless service accounts. >> It may be worth adopting this when the installer detects a Windows 7 / >> Win2k8 R2 or newer system - just create an account like: >> >> NT Service\PostgreSQL$EDB-9.4-x86 > By looking here: > http://msdn.microsoft.com/en-us/library/windows/desktop/bb545671%28v=vs.85%29.aspx > You'd need to be sure as well that there are necessary privileges in > ALL SERVICES: at least SeServiceLogonRight and optionally > SeNetworkLogonRight for network stuff. I guess that it is as well > necessary to be careful about the platform version and to have a > fallback mechanism to NETWORKSERVICE if platform version is rather > old (older than 6.1 for Win2k8 R2 and Win7?!) or if necessary > privileges are not present but well you are aware of that already :) -- Craig Ringer http://www.2ndQuadrant.com/ PostgreSQL Development, 24x7 Support, Training & Services