httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From CE <bce...@gmail.com>
Subject [users@httpd] Why is "Act As Part of the Operating System" needed for Apache on Windows?
Date Thu, 14 May 2015 18:55:40 GMT
Hi Everyone,

This is my first time here, so if I'm doing this wrong please correct me so
that I learn. (Be gentle.)

I have a question about running Apache httpd 2.4.x on Windows Server 2008
R2. I searched everywhere online for an answer and read the manuals, but
the most info I got was that someone posed this question here 11 years ago
and there was no reply. (Copied below.)


The Apache 2.4 documentation recommends creating a new user for httpd that
has "Log on as a service" AND "Act as part of the operating system" rights.

My question is, why is "act as part of the operating system" needed? It is
a very high risk permission.

I ran Apache without this right and it seems to work fine. What feature
needs it? I don't want the server to suddenly fail on me, but I also don't
understand why it is "required." Help?



----  MORE DETAIL, IF YOU WANT --------

The "Act as part of the operating system" permission is a high risk
permission. Programs with this access can impersonate any user on the
entire computer, thereby getting full access to any file. It is basically
the Windows equivalent of root.

My concern here is that setting read/write/execute permissions for the
Apache user is effectively meaningless because of that capability. And more
importantly, should the server get compromised for any reason (e.g., a
client somehow convincing the httpd service to execute harmful code due to
a configuration mistake), the attacker would be able to do literally
anything if they impersonate as an Administrator.

On Linux, Apache runs a service to bind to port 80 (or whichever) as root,
but the web-serving sub-processes run as limited users, so this isn't an
issue there. On IIS, the sites run as site specific users ("application
pool" users), so even if the server/site is compromised, the attacker has
no permissions to do anything beyond affect the specific site files.

On Apache for Windows, it seems that the whole thing is run under the
equivalent of root. I'm nervous do that. In fact, Microsoft specifically
recommends AGAINST providing "Act as part of the operating system" to any
users.

Apache recommending a new user with the permission:
https://httpd.apache.org/docs/2.4/platform/windows.html

Microsoft recommending against it:
https://msdn.microsoft.com/en-us/subscriptions/dn221957(v=ws.10).aspx



‚Äč------- EMAIL I FOUND IN THE ARCHIVES THAT WAS NEVER ANSWERED ----

(Can be seen online here:
http://httpd.markmail.org/search/?q=%22act+as+part+of+the+operating+system%22+why#query:%22act%20as%20part%20of%20the%20operating%20system%22%20why+page:1+mid:v3nkvtddxoumjaoo+state:results
)

Jan 12, 2004


Hey everyone,

Have a question about the "User rights assignment" in windows. In the
apache docs they recommend (when running apache as a service) to create a
new user account for the apache service and to grant this new user "Log on
as a service and Act as part of the operating system" priviledges. Our
apache test server seems to run fine without "Act as part of the operating
system". Why is this right needed? It seems to be more than necessary.
Maybe we have the module that needs this right disabled. Can anyone see any
reason to enable this right?

Here is the apache doc that talks about this
http://httpd.apache.org/docs-2.0/platform/windows.html#winsvc

Here is the Microsoft description of *Act as part of the operating system*
>
> http://www.microsoft.com/technet/treeview/default.asp?url=/technet/prodtechnol/winxppro/proddocs/525.asp
>
> Thanks, Ryan
> *Ryan Johnson Security Architect ESP Group  *

Mime
View raw message