CF should never be run as a high privileged account. Create a low
privilege account and run CF under that account. Only allow CF
permissions on the filesystem where they are absolutely required.
Ensure CF does not have any administrative privileges if they are not
used (like using <cfregistry> to edit the registry).
For other server shares, ensure that the account you created has
rights on those shares.
This is commonly called implementing the principle of least privilege.
-dhs
Dean H. Saxe, CISSP, CEH
[EMAIL PROTECTED]
"What is objectionable, what is dangerous about extremists is not
that they are extreme, but that they are intolerant."
-- Robert F. Kennedy, 1964
On Aug 1, 2007, at 12:21 PM, Rob Saxon wrote:
By default the CF service runs as a System account. What is the
best practice to allow this service to access all areas of the web
server and other server shares?
Here are some ideas I considered:
Scenario 1: Creating a domain account for the service with that
belongs to the local Admin group for the host server.
Scenario 2: Creating a local account on the host and shared servers
with the same name and make that account a member of the web
server’s admin group and give that local account access to the
share on the remote server.
Is either of these possibilities recommended? If not, are there any
suggestions?
Take care,
Rob
----------------------------------------------------------------------
-----
Rob Saxon
Director
Web Management
Mercer University
478-301-5550
-------------------------------------------------------------
Annual Sponsor - Figleaf Software
To unsubscribe from this list, manage your profile @
http://www.acfug.org?fa=login.edituserform
For more info, see http://www.acfug.org/mailinglists
Archive @ http://www.mail-archive.com/discussion%40acfug.org/
List hosted by FusionLink
-------------------------------------------------------------
