问题
I'm writing a small server-like program in C for Windows (using MinGW/GCC, testing on Windows 7) which is eventually supposed to run as a service with the LocalSystem account. I am creating a socket, and using Windows Sockets bind()
, listen()
and accept()
to listen for incoming connections. If I run the application from the command line (i.e. not as a service, but as a normal user), I have no problems connecting to it from external IPs. However, if I run the program as a service with the LocalSystem account, I can only connect to the service from my own PC, either with 127.0.0.1
or my local address, 192.168.1.80
(I'm behind a router in a small local network). Neither external IPs nor other PCs in the same local network, using my local address, can connect now, even though there were no problems without running as a service.
Now, I've heard that networking is handled differently or even not accessible (?) when running as LocalSystem or LocalService or that services cannot access both the desktop and the network (note: my service is not interactive) at the same time due to security considerations. Essentially, I need to find out what's going wrong/how to listen for connections in a service. Is running as NetworkService the same as running as LocalSystem, but with network access? Surely there must be servers that can run as background services, so how do they do it?
UPDATE: It seems that the suggestions to turn off the firewall were on the right track – I can get a connection after adding an exception in the Windows Firewall. I guess I wasn't thinking about the firewall because when you run an application using sockets normally, you get a prompt asking to add an exception, which doesn't happen when a service is run for the first time. Is there a better way to handle this than adding the rule to the firewall manually? Does LocalSystem have the privileges to add a rule to the firewall itself or would I have to do this during installation somehow?
回答1:
LocalSystem and LocalService accounts have restricted network logon rights, but as far as I know it should not affect socket connections.
However, the Windows firewall will be active, and if you moved the executable to a new directory for installation as a service, it might no longer match the rule you made for testing.
回答2:
User account used to run service does not affect TCP/UDP bind/listen operation.
Make sure you have disabled firewall service and/or antivirus and try again.
You can read more details on MSDN and built-in service accounts:
Service accounts
A service that runs in the context of the LocalSystem account inherits the security context of the SCM.LocalSystem is a very high-privileged built-in account. It has extensive privileges on the local system and acts as the computer on the network. The actual name of the account is "NT AUTHORITY\SYSTEM".
LocalService has minimum privileges on the local computer and presents anonymous credentials on the network.The Local Service account is a built-in account that has the same level of access to resources and objects as members of the Users group. This limited access helps safeguard the system if individual services or processes are compromised. Services that run as the Local Service account access network resources as a null session without credentials. Be aware that the Local Service account is not supported for the SQL Server or SQL Server Agent services. The actual name of the account is "NT AUTHORITY\LOCAL SERVICE".
A service that runs in the context of the NetworkService account presents the computer's credentials to remote servers.The Network Service account is a built-in account that has more access to resources and objects than members of the Users group. Services that run as the Network Service account access network resources by using the credentials of the computer account. The actual name of the account is "NT AUTHORITY\NETWORK SERVICE"
I'm pretty sure that you can bind/listen on port when you run service as LocalSystem. For example Apache 2.2 did it:
Some reading:
Understanding the Local Service and Network Service Accounts
回答3:
As the other answers (by rkosegi and Ben Voigt) suggested, the Windows Firewall was blocking the port because I moved the executable to a different location for installation and because services do not cause the notification that a connection has been blocked (along with a button to unblock the application) to appear. I ended up using netsh advfirewall firewall add rule name="%name%" dir=in action=allow program="%path%" enable=yes
in a .bat-file to easily add an exception to the firewall.
来源:https://stackoverflow.com/questions/10942916/windows-service-listening-on-socket-while-running-as-localsystem