Cool, thanks Dave. You are correct, there are reasons to remove SYSTEM. (I was only changing permissions on the dev server so far) >From what I've researched since my last post it seams that removing SYSTEM is good because the SYSTEM account has the same internal id on every installation which makes it a vulnrability. I'm working on setting up a local user right now. It's been a long time since I've done any sysadmin work, but will the coldfusion user account need log on as service rights? Are there any other special permissions the cf server may need?
Anthony On 7/29/05, Dave Watts <[EMAIL PROTECTED]> wrote: > > well i think they definitely need a technote. I found a bunch > > of threads with the same problem but no solution. I finally found > > one talking about permissions. It turns out that for whatever > > reason the sys admins removed the permissions for the SYSTEM > > account, which coldfusion is run as by default. I added permissions > > for SYSTEM and it worked. > > I have two comments on this. > > First, there might be a good reason why your sysadmins removed those > permissions from SYSTEM, although the SYSTEM security context can always > take ownership of whatever it wants anyway, and grant itself permissions. > You might want to check with them before you change things around. > > Second, and more importantly, you would be better served by running CF as a > less privileged user instead of SYSTEM. You can create a user account just > for CF, and grant it the necessary permissions and user rights. > Alternatively, if you're using Windows Server 2003, you can use the "Local > Service" (or "Network Service" if you need to access remote shares, etc) > security context which is considerably less privileged than SYSTEM. > Macromedia has a technote about how to do this with CFMX, and it's pretty > easy actually. > > Dave Watts, CTO, Fig Leaf Software > http://www.figleaf.com/ > > Fig Leaf Software provides the highest caliber vendor-authorized > instruction at our training centers in Washington DC, Atlanta, > Chicago, Baltimore, Northern Virginia, or on-site at your location. > Visit http://training.figleaf.com/ for more information! > > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Logware (www.logware.us): a new and convenient web-based time tracking application. Start tracking and documenting hours spent on a project or with a client with Logware today. Try it for free with a 15 day trial account. http://www.houseoffusion.com/banners/view.cfm?bannerid=67 Message: http://www.houseoffusion.com/lists.cfm/link=i:4:213277 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4 Donations & Support: http://www.houseoffusion.com/tiny.cfm/54
