LocalSystem account in Windows 2000/XP

[Pavel <hiddenrecipient () email com>]

Hello everybody,

Here is a couple of my observations on Windows 2000/XP LocalSystem account.

Originally (NT4) the paradigm of this account was declared by MS as the 
following:

1. This account doesn't require athentication on the local computer.
2. It has unlimited rights on the local computer.
3. No network resources can be accessed using this account.

Now, that's what we see in Windows 2000:

1. LocalSystem is still the main account under which the most of system 
services run.
2. LocalSystem has unlimited privileges on Active Directory objects. It is 
true for all of the partitions located in the AD database. So, any process 
running under LocalSystem on any of domain controllers can easily crash 
the whole forest just by erasing Schema or Configuration objects. And that 
becomes not funny, you need to control every single backup operator as 
well as patch thoroughly every single buffer overflow vulnerabilities in 
system services and apps.
3. Here is another surprise coming. Now the LocalSystem account is able to 
access other computer's shared resources. Basically, its rights are equal 
to ones of "Users" or "Domain Users". So you don`t need to be 
authenticated by domain at all to access domain resources shared 
for "Users" only.

Has anything changed in Microsoft's vision of the System account?
What are documented security features of this account?

Thanks