The Personify E-Mail Notification Service requires a set of Windows permissions to operate within the Windows Operating System. By default, the notification service is installed to run as the “Network Service” account within a Windows Server 2003 or Windows XP environment. System administrators can change the account that the notification service runs under by using the Windows Service Control Manager.
The following is a description of the Network Service account in Windows Server 2003:
On computers running Windows Server 2003, services can be configured to log on under the Network Service account. Like Local System, this account does not require a password. The password is an empty password.
The Network Service account is a built-in system account that has the privileges of an authenticated user; therefore, it provides an alternative to running services under the Local System account. There is no lockout policy for the Network Service account because it is not password-protected. The protection mechanism is that only a process running under the Local System account can perform a Network Service (or Local Service) logon and it must be a service-type logon.
The Network Service account is intended for services that have no need for extensive local privileges, but do need authenticated network access. Services running as the Network Service account access local resources as ordinary users. When they access network resources, they do so using the credentials of the computer. A service running as Network Service has the same network access as a service running as Local System, but it has significantly reduced local access. The following security privileges are available to services running in the Network Service account:
· SeShutdownPrivilege
· SeAuditPrivilege
· SeChangeNotifyPrivilege
· SeUndockPrivilege
· SeImpersonatePrivilege
Permission |
Reason |
|---|---|
| Modify, Read & Execute, List Folder Contents, Read, Write | Folder where Notification Service is installed. |
| Log on as a Service | Required by Windows
to allow a user account to operate as a Windows Service.
The local service and network service accounts have this privilege assigned to them by default. Active directory user accounts do not have this privilege assigned by default, but this privilege can be assigned using the Local Security Policy editor found under Start/Programs/Administrative Tools/Local Security Policy. For additional assistance in establishing these permissions contact your local network administrator. |
| Write to machine application event log | The Personify E-Mail Notification Service writes informational messages to the windows application event log to inform administrators of specific process events as they occur within the service. The logging level configured for the service determines how much data is written to the application event log. |