Managing Accounts and Privileges
In Microsoft Windows 2000 Server, the DTC runs under the LocalSystem account. This is a powerful account, partly because the account runs as a member of the Administrators user group. Running as LocalSystem provides a user with full access to the system.
Microsoft Windows XP, Windows Server 2003, and subsequent versions provide a less-privileged account for the DTC to use. This account, NetworkService, is specifically designed to allow services such as the DTC to run with the appropriate set of privileges and a minimized risk of attack. NetworkService is the default account for the DTC in Windows XP and Windows Server 2003.
To minimize security problems, it is recommended that you use the default NetworkService account. In future releases, it may not be possible to run the DTC under any account other than NetworkService.
The NetworkService account provides the following privileges to the DTC:
Exclusive access to the DTC log: Because the DTC log stores the outcomes of transactions, tampering with the log can cause serious data corruption in a resource manager's database. In addition, the DTC log stores XA open strings (currently encrypted) that can include passwords for accessing XA databases. Therefore, only the DTC has write access to the DTC log.
Also, in Windows XP and Windows Server 2003, you can use the Component Services administrative tool to change the location of the DTC log. The default location is System32\DTCLog, but this can be changed to any directory residing on a fixed drive on the local machine. When the log has been moved, a new access control list (ACL) is automatically added to the new directory, specifying that only users logged in as NetworkService can access this directory.
Exclusive access to the DTC registry settings: The registry stores several types of DTC information that must be kept safe to avoid tampering or serious data corruption of the resource manager's database. This information includes the name of the DTC log, security settings, communication contact information, and other configuration data. The DTC has read-only access to the registry settings.
Access to the Cluster service: The DTC must be run under an account that has access to the Cluster service. NetworkService is automatically granted full access to the cluster when the cluster is installed.