if the application is reaching outside the firewall then three things come to mind.
#1 replace the security folks running the firewall, for their misconfiguration. #2 replace the firewall, that is configured correctly and allows an application to network around it. #3 replace network folks that allow configurations to go around the box. Sorry: this sounds so ridiculous it is almost friday humor. On Tue, Jul 3, 2012 at 10:31 AM, Reiser, John J <[email protected]>wrote: > Christopher, > The security folks seemed to accept my reply that running as a non-admin > may be possible but it needs elevated permissions. > I think they are mainly concerned about the system reaching outside the > corporate firewall. > That was one to the other questions that they had. Since we don't do that > we should be ok. > > Thank you, > --- > John J. Reiser > Remedy Developer/Administrator > Senior Software Development Analyst > Lockheed Martin - MS2 > The star that burns twice as bright burns half as long. > Pay close attention and be illuminated by its brilliance. - paraphrased by > me > > > -----Original Message----- > From: Action Request System discussion list(ARSList) [mailto: > [email protected]] On Behalf Of strauss > Sent: Wednesday, June 27, 2012 1:08 PM > To: [email protected] > Subject: EXTERNAL: Re: Running the ARsystem service as a plain windows > user account > > I don't think file permissions will be enough. You might try giving it > only some of the explicit permissions (run as a service, act as a part of > the operating system) that it normally gets from the local admin group > rights and see if that works. I have not had to discuss this to our > security team, but they have not considered it a problem during their > security scans. > > Christopher Strauss, Ph.D. > Call Tracking Administration Manager > University of North Texas Computing & IT Center http://itsm.unt.edu/ > > -----Original Message----- > From: Action Request System discussion list(ARSList) [mailto: > [email protected]] On Behalf Of Reiser, John J > Sent: Wednesday, June 27, 2012 11:37 AM > To: [email protected] > Subject: Re: Running the ARsystem service as a plain windows user account > > Christopher, > > That's how we have our system setup (ARS, Email POP, and Tomcat). The > difference being that our domain account has local admin access. > The Systems Security people want to know if it's required. I guess I'll > tell them no BUT it does need Power User access. > Then 6 months from now they'll tell me that I have an account running a > service as a Power User and that is not allowed. > > > So if I give the Program Files directories for BMC and Tomcat power user > full control I should be ok? > > > Thank you, > --- > John J. Reiser > Remedy Developer/Administrator > Senior Software Development Analyst > Lockheed Martin - MS2 > The star that burns twice as bright burns half as long. > Pay close attention and be illuminated by its brilliance. - paraphrased by > me > > > -----Original Message----- > From: Action Request System discussion list(ARSList) [mailto: > [email protected]] On Behalf Of strauss > Sent: Wednesday, June 27, 2012 11:47 AM > To: [email protected] > Subject: EXTERNAL: Re: Running the ARsystem service as a plain windows > user account > > In my experience the ARS Server service has to run as a local admin > account, and also as an account with access to the SQL Server database. > What we have used for many years is a Domain User account (not a Domain > Admin or other role) that has been granted local admin rights on the AR > Server, AND is the dbo in SQL Server for the ARSystem database. > Flashboards has always run fine as Local System. I do give this Domain > Account (it is not a local Windows account) full rights to the BMC Software > directory structures where the applications are installed (before > installation). Again, the service itself runs under that Domain User > account - ARS 7.x installers usually get this correct if the account has > been set up properly on the SQL Server first. > > The email engine is another matter. If you are using MAPI and have > Outlook installed on the AR Server, the Domain User for the MAPI mailbox > has to be a local admin as well, and have the rights to log on locally and > run Outlook against the mailbox that AREmail is using; the Email Engine > service itself must run under that Domain User account. This works fine in > Windows Server 2003, but I never got it working to my satisfaction in > Windows Server 2008; the mail engine would not log in and send mail unless > you had a current logged-in session under the mailbox user account open, > and started the mail service from there. Log out, and it stopped working. > It was one of the main reasons we switch from MAPI (for ARS 7.1) to > SMTP/POP (for ARS 7.6.04). > > When using SMTP/POP, the BMC Remedy Email Engine installs and runs just > fine under the Local System account. If you decide to run it under the > Domain User of the Pop mailbox, then that user would have to be at least a > local Power User to run the service, with full access to the Email Engine > application directory. It only needs to be in the local admin group for > MAPI connections. > > We do the same with the mid-tier; the Tomcat instance runs under a > dedicated Domain User that is in the local Power User group, with full > rights to the Apache file directory structure. We make those changes after > installing Tomcat (which installs under Local System), before installing > the mid-tier. > > BTW, the AR System runs in a dedicated AD forest, so it is an additional > dependency for the services to be able to authenticate to AD in order to > start, but it adds a layer of security over local user accounts. > > Christopher Strauss, Ph.D. > Call Tracking Administration Manager > University of North Texas Computing & IT Center http://itsm.unt.edu/ > > -----Original Message----- > From: Action Request System discussion list(ARSList) [mailto: > [email protected]] On Behalf Of Reiser, John J > Sent: Wednesday, June 27, 2012 9:41 AM > To: [email protected] > Subject: Running the ARsystem service as a plain windows user account > > Hello Listers, > > ARS 7.6.04 > MS SQl 2005 > MS Windows 2003 on a VM > > I've looked through the installation docs to find out if the AR System > service, email Service and Flashboards service need to be run as a local > admin on a windows server. > > First we ran it as a local service and the security folks didn't like > that. We changed to a local admin service account and now they don't like > that either. > I tried looking in the docs and the BMC Knowledge base and the only > reference to a "root" account was for installing on Unix/Linux type servers. > > I just need to know if it must be run as a local admin and the reason for > it to satisfy the Information System Security people. If it run as a > regular windows user are there any files system permission changes needed > on the server? Couldn't find anything referencing this. > > Thank you, > --- > John J. Reiser > Remedy Developer/Administrator > Senior Software Development Analyst > Lockheed Martin - MS2 > The star that burns twice as bright burns half as long. > Pay close attention and be illuminated by its brilliance. - paraphrased by > me > > > _______________________________________________________________________________ > UNSUBSCRIBE or access ARSlist Archives at www.arslist.org attend wwrug12 > www.wwrug12.com ARSList: "Where the Answers Are" > > > _______________________________________________________________________________ > UNSUBSCRIBE or access ARSlist Archives at www.arslist.org attend wwrug12 > www.wwrug12.com ARSList: "Where the Answers Are" > > > _______________________________________________________________________________ > UNSUBSCRIBE or access ARSlist Archives at www.arslist.org attend wwrug12 > www.wwrug12.com ARSList: "Where the Answers Are" > > > _______________________________________________________________________________ > UNSUBSCRIBE or access ARSlist Archives at www.arslist.org attend wwrug12 > www.wwrug12.com ARSList: "Where the Answers Are" > > > _______________________________________________________________________________ > UNSUBSCRIBE or access ARSlist Archives at www.arslist.org > attend wwrug12 www.wwrug12.com ARSList: "Where the Answers Are" > -- Patrick Zandi _______________________________________________________________________________ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org attend wwrug12 www.wwrug12.com ARSList: "Where the Answers Are"
