I've been told that it's dangerous to run services under the SYSTEM account or under an account that has Administrator authority. For instance, I work for a small community bank, and a bank examiner told me that the SQL Server service shouldn't run under the Administrator account. Can you explain why?
Most services accept input from clients. A malicious client can send malformed input in an attempt to trick a service into performing malicious operations on behalf of the attacker. If successful, the attacker will be limited only by the authority of the account under which the service is running. Therefore, limiting the service to the least possible amount of privileges limits what the attacker can access or damage.
Additionally, some services give clients the ability to run OS commands supplied by the client. For instance, SQL Server has the extended stored procedure xp_cmdshell. Client-supplied commands typically execute under the account that's running the service. If the service is running under the SYSTEM or Administrator account and allows unprivileged clients to run OS commands, the client can "escalate" his or her privileges by getting the service to run arbitrary commands supplied by the client but executed under the all-powerful SYSTEM or Administrator account.
Register
