Best practice for service running as local user

Yihong Zhang 0 Microsoft Employee

We are working on changing our .NET service from admin to local user. We want to know if there is anything we can follow to deal with issues regarding losing admin privilege.

Here is our application manifest:

<Principals>
    <Users>
        <User Name="ServiceLocalUser">
            <MemberOf>
                <SystemGroup Name="Users" />
            </MemberOf>
        </User>
    </Users>
</Principals>
<Policies>
    <DefaultRunAsPolicy UserRef="ServiceLocalUser" />
</Policies>

which creates a WinFabApplication|ServiceLocalUser| user starting with WF- running our service.

We have to make some change to adopt the change to service local user, however there is something we are not able to figure out how to do. i.e. we have some netsh command must be running as admin, and it stops working after changing to local user because it requires elevated command. I am not able to find a way to make it working after I changed it to elevated command which requires "runas" opens a User Account Control (UAC) prompt, which requires an interactive user session.

System.ComponentModel.Win32Exception (0x80004005): This operation requires an interactive window station

Does Service Fabric have some local user which still has privilege to run elevated command? Or is there any example how to setup .NET service with local user that requires admin privilege?

Akshay kumar Mandha 1,040 Reputation points Microsoft Vendor

2024-09-30T22:52:18.0533333+00:00

Hi Yihong Zhang,
Welcome to the Microsoft Q&A Platform. Thank you for posting your query here. We are looking into it and will get back to you soon.
Akshay kumar Mandha 1,040 Reputation points Microsoft Vendor

2024-10-01T17:39:04.9533333+00:00

Hi Yihong Zhang,
When you switch your .NET service to run under a local user account in Azure Service Fabric, you'll lose the ability to execute commands that require admin privileges, like netsh. Unfortunately, there isn't a built-in local user in Service Fabric that has elevated permissions.

To work around this, you can create a separate helper service that runs under an admin account, allowing it to execute those privileged commands on behalf of your main service. Alternatively, you could set up a scheduled task that runs with elevated rights, triggering it from your service when needed. Please refer this document Run a service as a local user account or local system account for more information

If your commands can be handled with PowerShell scripts, consider creating scripts that run elevated and are called by your service. While you could run your entire service as an admin, it’s not ideal for security reasons. In short, you’ll need to find a way to manage elevated commands through a different approach while keeping your main service under a local user account. Please refer this document Run a service startup script as a local user or system account for more information

If you found helpful, could you please click an "Upvote" on my post. Please Let us know if you any further query we are happy to assist you
Akshay kumar Mandha 1,040 Reputation points Microsoft Vendor

2024-10-03T17:26:03.72+00:00

Hi Yihong Zhang,
Just wanted to check is that previous response is helpful, please let us know if you have any questions tag me in comment, we will always assist you
Thank you.!
Akshay kumar Mandha 1,040 Reputation points Microsoft Vendor

2024-10-04T17:06:54.6933333+00:00

Hi Yihong Zhang,
Is that issue resolved Please let us know If you have any query tag me in comment
If you found helpful my previous response, could you please click an "Upvote" on my post. for other community members reference

Share via

Best practice for service running as local user

Your answer