A common practice on Unix based systems is to run a service under an account with no more privledges than necessary. Generally the account you run it under can't even login. The idea is if the service is compromised it has little control over the OS. I would like to do something like this with Windows. I was trying to set Apache to run under an account I created called Apache. The account was running as a user account. However, I couldn't start the service, it kept shooting out an error. When I elevated the account to an administrator however it would work. This happened on traditional port 80 and even on port 10001 (which the user account should be able to start a service on). I looked on line and I saw some sites which recommended setting it (in the local security policy) to act as part of the operating system. As far as I gathered this would allow a process to act as anything it wishes and is just as powerful as the system account. I was wondering if you think running a service on a low privledge account (as opposed to the system account) under Windows is a good idea and if so how can I add the privledges necessary to make it happen?

There is a user right called "Logon as a Service". Make sure that user has that right. Also, make sure at has privileges on the directories it needs to access.