A. Windows 7 and Windows 2008 R2 introduce the virtual account, which aims to address an auditability challenge many environments face today with services that use the Network Service built-in account.
The Network Service account was introduced in Windows 2003 as an alternative to using the LocalSystem account, which had full local system privileges on the local machine. The Network Service account can still access the network using the computer accounts credentials, but it has limited local privileges easing security concerns.
When many services on a machine are configured to use the Network Service account, it becomes hard to track which service is actually accessing resources and performing actions, because all the services are using the one Network Service account.
Virtual accounts emulate creating many unique instances of the Network Service account, so each service runs with its own Network Service instance that has the same name as the service. These unique instances of Network Service make auditing and tracking much easier.Related Reading:
- New Active Directory Features in Windows Server 2008 R2
- Determining Which Service Logon Account to Use
- Understanding Windows Service Hardening
- Securing Your SQL Server Environment
Check out hundreds more useful Q&As like this in John Savill's FAQ for Windows. Also, watch instructional videos made by John at ITTV.net.