Windows Service Minimum Permissions?
From: Martin Naughton (mn@nospam.com)
Date: 11/22/02
- Next message: Leslie Isaacs: "Sharing files - password"
- Previous message: Toni Lassila: "Re: Reinstalling Win2k causes security snafus on old files"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "Martin Naughton" <mn@nospam.com> Date: Fri, 22 Nov 2002 01:32:42 -0800
Hi,
I'm by no means a specialist on Windows security, so the
problem is likely
to be caused by my ignorance of permissions.
In short, I would like to determine the "Least Privilege"
user
account/group I should apply to a Windows Service, in
order that I be able
to do the following:
1) Execute
2) Interact with a SQL Server database
3) Interact with an MSMQ
4) Write to the EventLog
5) Watch Debug/Trace.Writeline output from a remote machine
Anyway, here's the problem I'm getting:
I have a Windows Service (developed in VB.NET) running on
a remote computer.
Initially, I configured the LogOn properties of the
Service, such that it
runs under a user account that belonged to the
Administrators Group on the
remote computer.
>From my local computer, I invoke SysInternals' DbgView.exe
and Connect to
the remote machine - no problem. I can happily watch
the .NET
Debug.WriteLine output from the Windows Service on the
remote machine.
Now, in a move to tighten up the security a little, I'm
attempting to run
the Windows Service under a "Least Privilege" user
account. A domain user
account, set up as a "standard" user was defined for me by
a network admin.
I applied the new user account to the Windows Service,
then Start it.
This time, I see no Debug messages in my local DbgView
window.
As a result, I'm not certain whether the Service is
working (but failing to
output Debug messages) or just not working at all.
It seems to be permissions thing :
If I add the domain user account to the remote machine's
local
Administrators group, I see the messages.
If I add the domain user account to the remote machine's
local Power Users
group, I don't see the messages.
The Debugger Users Group doesn't seem to help, either.
In case it's important, I'm connecting to the remote
machine using Windows
Terminal Services.
I log onto the machine via Terminal Services, using my own
domain account,
a member of the remote machine's Administrators group (not
the "Least
Privilege" one).
Any ideas?
Thanks,
Martin
- Next message: Leslie Isaacs: "Sharing files - password"
- Previous message: Toni Lassila: "Re: Reinstalling Win2k causes security snafus on old files"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
