Virtual service accounts

Furthermore, in Windows Server 2008 R2 and Windows 7, the virtual service account was introduced. This account type is defined as NT Service\<service_name> and emulates a unique instance of the Network Service account. This account type doesn't need to be created, and there is no password management, so this makes auditing and tracking significantly more simplistic. On the local computer, a virtual service account is not privileged; it is merely a member of the local Users group. On a network, if in a domain, a virtual service account takes on the identity of the computer account (DOMAIN\computer_name$); if not in a domain, it is Anonymous.

Depending on the version of the Windows operating system that one is utilizing, Service Hardening can be implemented using either a low-privileged Windows account in conjunction with a per-service security identifier (SID), a virtual service account, or a combination of both.