Running Go as Network Service on Windows

395 views
Skip to first unread message

Brian Butler

unread,
Apr 27, 2016, 2:21:30 PM4/27/16
to go-cd
Following the principle of least privilege, we'd like to run both Go Server and Go Agent services as "Network Service" instead of "Local System" on our Windows hosts. We're not explicitly performing any privileged operations on the local machines, and like Local System, network transactions will continue to use machine credentials.  Has anyone tried this with any degree of success?  Did you deploy as local system and then change the service logon properties, or did you build your own installers?

For what it's worth, I tried this on three different machines (at three different times and probably with three different versions of the Go software). While it seems to be working fine on the first, the second and third both fail with no logging, and a single event in the system event log:

The Go Server service terminated with the following service-specific error:
Incorrect function.
 If you've had success with this, I'd appreciate hearing details of your experience!

Thanks,
Brian Butler [MSFT]

Sriram Narayanan

unread,
May 1, 2016, 12:04:02 AM5/1/16
to go...@googlegroups.com
Instead of "Network Service", I have run the Go Agent as a special Build Agent user. This user had specific privileges.

-- Ram

--
You received this message because you are subscribed to the Google Groups "go-cd" group.
To unsubscribe from this group and stop receiving emails from it, send an email to go-cd+un...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Aravind SV

unread,
May 2, 2016, 6:32:48 AM5/2/16
to go...@googlegroups.com
On Thu, Apr 28, 2016 at 2:21 AM, Brian Butler <butler....@gmail.com> wrote:
For what it's worth, I tried this on three different machines (at three different times and probably with three different versions of the Go software). While it seems to be working fine on the first, the second and third both fail with no logging, and a single event in the system event log:

The Go Server service terminated with the following service-specific error:
Incorrect function.
 If you've had success with this, I'd appreciate hearing details of your experience!

You should also make sure that the user you used has permissions to read and write to C:\Program Files (x86)\Go Agent.

Brian Butler

unread,
May 16, 2016, 6:01:23 PM5/16/16
to go-cd
This was the key to making it work.  By default, NETWORK SERVICE does not have access to the install folder.  We're running this in preproduction now to see if we hit any unexpected errors, but so far it's going well.  Thank you for your help!
Reply all
Reply to author
Forward
0 new messages