httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Andrew Braund" <abraund_n...@mail.com>
Subject RE: [patch 1.3.13-dev] Win9x Services
Date Thu, 08 Jun 2000 07:39:39 GMT
I am updating the windows.html and want to add something about which account to
run Apache under. This is what I have got;

<P><STRONG>Note on default "System account" (LocalSystem) that Apache will run
under.</STRONG></P>

  When Apache is installed as a service eg with the apache -i command,
  it will run as "System Account" (LocalSystem) user.
<PRE>
       docs say:
       LocalSystem is a very privileged account locally, so
       you shouldn't run any shareware applications there.
       However, it has no network privileges and cannot leave
       the machine via any NT-secured mechanism, including
       file system, named pipes, DCOM, or secure RPC.

       and:

       A service that runs in the context of the LocalSystem account
       inherits the security context of the SCM. It is not
       associated with any logged-on user account and does not have
       credentials (domain name, user name, and password) to be used
       for verification. This has several implications: [... removed ...]

       That _really_ sucks.  Can we recommend running Apache as some
       other user?

   <i>Recommendations to be added...</i>
</PRE>


Any NT security person care to suggest some recommendations for me?

Also, as a fix to error 2186 when trying to start Apache, the following
workaround has been suggested;

<PRE>
   Select the service in Control Panel and click Startup.
   Verify that the service account is correct.
   Retype the password and password confirmation.
   Go to User Manager for Domains.
   Click on Policies from the title bar menu, and select User Rights.
   Select the option for Advanced User Rights.
   In the drop-down list, verify that the following rights have been
   granted to the service account:
   Act as part of the operating system
   Back up files and directories
   Log on as a service
   Restore files and directories
</PRE>

Any comments on this?

Any one liners on security when running under Win95? :)


Mime
View raw message