[#MDEV-22272] windows installer - run service unter virtual service account

[MDEV-22272] windows installer - run service unter virtual service account Created: 2020-04-17 Updated: 2021-02-17 Resolved: 2020-05-18
Status:	Closed
Project:	MariaDB Server
Component/s:	Platform Windows
Fix Version/s:	10.6.0

Type:

Task

Priority:

Major

Reporter:

Vladislav Vaintroub

Assignee:

Vladislav Vaintroub

Resolution:

Fixed

Votes:

Labels:

None

Issue Links:

Blocks
blocks	~~MDEV-22175~~	windows installer - create SeLockMemo...	Closed

Description

Windows 7 introduced virtual accounts for services, NT SERVICE\service_name
they are low-privilege, do not need to be created (i.e they exist when service is created),have no password, and in kerberos envronment run as UPN machine account.
Overall, it is pretty much the same as NETWORK SERVICE account we used that far.

However, virtual accounts have better "granularity" than NETWORK SERVICE.

File access control is better (one mariadb service does not access files from another service).

Also privilege assignment if needed can be done per-user(per-service).
For example, to use large pages, one can give NT SERVICE\MariaDB SeLockMemoryPrivilege.
(See ~~MDEV-22175~~). If we ever decide to use symbolic links, this privilege can be given to the service as well.

Generated at Thu Feb 08 09:13:30 UTC 2024 using Jira 8.20.16#820016-sha1:9d11dbea5f4be3d4cc21f03a88dd11d8c8687422.

[MDEV-22272] windows installer - run service unter virtual service account Created: 2020-04-17 Updated: 2021-02-17 Resolved: 2020-05-18