On Thu, Sep 11, 2014 at 10:25 PM, Craig Ringer <craig@xxxxxxxxxxxxxxx> wrote: > The PostgreSQL installer now uses the NETWORKSERVICE account on Windows > by default (as of 9.2), instead of creating a "postgres" account with > username and password. Which is a big improvement to usability. Using NETWORKSERVICE is not cool as it is created by the system and may be shared by some other processes. I am not sure about the security implications but this sounds weird and should be avoided if possible. > I recently found out that on Windows 7 / win2k8 R2 and newer there's now > a better alternative available: virtual accounts and managed service > accounts. They combine the benefit of avoiding all that password > management cruft with the ability to run services in less-privileged, > better isolated accounts. Makes sense to use it. > It may be worth adopting this when the installer detects a Windows 7 / > Win2k8 R2 or newer system - just create an account like: > > NT Service\PostgreSQL$EDB-9.4-x86 By looking here: http://msdn.microsoft.com/en-us/library/windows/desktop/bb545671%28v=vs.85%29.aspx You'd need to be sure as well that there are necessary privileges in ALL SERVICES: at least SeServiceLogonRight and optionally SeNetworkLogonRight for network stuff. I guess that it is as well necessary to be careful about the platform version and to have a fallback mechanism to NETWORKSERVICE if platform version is rather old (older than 6.1 for Win2k8 R2 and Win7?!) or if necessary privileges are not present but well you are aware of that already :) -- Michael -- Sent via pgsql-general mailing list (pgsql-general@xxxxxxxxxxxxxx) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-general
