Craig Ringer
2014-09-12 05:25:54 UTC
Hi all
(This is really about the EDB installer, but we don't have anywhere
better to discuss it than -general, so):
The PostgreSQL installer now uses the NETWORKSERVICE account on Windows
by default (as of 9.2), instead of creating a "postgres" account with
username and password. Which is a big improvement to usability.
I recently found out that on Windows 7 / win2k8 R2 and newer there's now
a better alternative available: virtual accounts and managed service
accounts. They combine the benefit of avoiding all that password
management cruft with the ability to run services in less-privileged,
better isolated accounts.
See "New Account Types Available with Windows 7 and Windows Server 2008
R2" in
http://msdn.microsoft.com/en-au/library/ms143504.aspx
particularly "virtual accounts".
If that looks a lot like a UNIX "system account", you're not mistaken.
It looks like Microsoft have finally figured out that it'd be nice not
to need a password for a background system service and to have to then
store that password somewhere on the same system.
It may be worth adopting this when the installer detects a Windows 7 /
Win2k8 R2 or newer system - just create an account like:
NT Service\PostgreSQL$EDB-9.4-x86
(or whatever name will get rid of conflicts) and use that instead of
NETWORK SERVICE.
(This is really about the EDB installer, but we don't have anywhere
better to discuss it than -general, so):
The PostgreSQL installer now uses the NETWORKSERVICE account on Windows
by default (as of 9.2), instead of creating a "postgres" account with
username and password. Which is a big improvement to usability.
I recently found out that on Windows 7 / win2k8 R2 and newer there's now
a better alternative available: virtual accounts and managed service
accounts. They combine the benefit of avoiding all that password
management cruft with the ability to run services in less-privileged,
better isolated accounts.
See "New Account Types Available with Windows 7 and Windows Server 2008
R2" in
http://msdn.microsoft.com/en-au/library/ms143504.aspx
particularly "virtual accounts".
If that looks a lot like a UNIX "system account", you're not mistaken.
It looks like Microsoft have finally figured out that it'd be nice not
to need a password for a background system service and to have to then
store that password somewhere on the same system.
It may be worth adopting this when the installer detects a Windows 7 /
Win2k8 R2 or newer system - just create an account like:
NT Service\PostgreSQL$EDB-9.4-x86
(or whatever name will get rid of conflicts) and use that instead of
NETWORK SERVICE.
--
Craig Ringer http://www.2ndQuadrant.com/
PostgreSQL Development, 24x7 Support, Training & Services
--
Sent via pgsql-general mailing list (pgsql-***@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-general
Craig Ringer http://www.2ndQuadrant.com/
PostgreSQL Development, 24x7 Support, Training & Services
--
Sent via pgsql-general mailing list (pgsql-***@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-general