SYSTEMS BY RUNNING SERVICES UNDER LESS PRIVILEGED ACCOUNTS
One of the ways that Windows Server 2003 provides better security
is by running services under less privileged accounts when appropriate.
For example, in previous versions of Windows, many system services
ran under the highly privileged LocalSystem account. Services compromised
while running under this account could do just about anything.
Windows Server 2003 introduced two less privileged accounts: Local
Service and Network Service. Both accounts have only slightly higher
privilege levels than a typical user.
You can use Local Service for local system services that don't need
full access to the system, and you can employ Network Service for
network-based services. Network Service emulates a computer account
in a domain.
By default, Windows Server 2003 limits both services in what they
can do and what they can access. These restrictions help reduce the
amount of damage that an intruder can inflict with a compromised service.
Windows Server 2003 also reduces the number of services started by
default, which directly results in a more secure system. When a system
runs fewer services, it gives potential hackers fewer options to compromise.