In UNIX/Linux terms, until 12c, Oracle on Windows usually ran as the root user (local system). Oracle 12c for Windows moves takes step away from “DBA for Dummies” by designing the Oracle service to run as a user with lower privileges. As with all security measures, it will add complexity to your environment, but before being tempted to stick with the trusty local system account, consider how you would justify that decision to auditors. If you have more than one database on a server, or any other applications or files of importance, then you can help to protect them by using a non-system Oracle Home User.
Managed Service Accounts
If your system is on a domain, then the obvious choice is to use a Managed Service Account (MSA) to run the Oracle service, because it avoids the pain of changing a domain account’s password regularly. This account should be dedicated to the database server to prevent a breach in one database compromising other servers.
You might want to create a new Oracle Base for 12c to avoid file permission issues with existing pre-12c Oracle Homes, and carefully design inherited file permissions on directories used by UTL_FILE or the database’s JVM.
If intending to use large pages, the administrator must grant the “Lock pages in memory” privilege to Oracle Home User or Service SID of Oracle Database Service (NTAUTHORITY\OracleService<sid>).
When using an MSA, you shouldn’t be prompted for the password at any point. If this happens, then refer to this post: MSA vs Oracle Home User