Information
This policy setting allows accounts to launch network services or to register a process as a service running on the system.
This user right should be restricted on any computer in a high security environment, but because many applications may require this privilege, it should be carefully evaluated and tested before configuring it in an enterprise environment.
On Windows Vista-based (and newer) computers, no users or groups have this privilege by default.
The recommended state for this setting is: 'No One'.
Rationale:
'Log on as a service' is a powerful user right because it allows accounts to launch network services or services that run continuously on a computer, even when no one is logged on to the console.
The risk is reduced by the fact that only users with administrative privileges can install and configure services.
An attacker who has already attained that level of access could configure the service to run with the 'Local System' account.
Solution
To establish the recommended configuration via GP, set the following UI path to 'No One':
Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Log on as a service
Impact:
If you have installed optional components such as ASP.NET or IIS, you may need to assign the 'Log on as a service' user right to additional accounts that are required by those components.
IIS requires that this user right be explicitly granted to the ASPNET user account.