RE: Windows Service Security
-Original Message- From: Burn William [mailto:william.b...@willis.com] Sent: Wednesday, October 31, 2012 9:01 AM To: users@tomcat.apache.org Subject: Windows Service Security Can the Tomcat service run as a standard user, Yes does the user need elevated permissions, I don't believe so, I don't grant my standard user any specific privileges. or does it require local administrator access? No. I wouldn't do that. Leo - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Windows Service Security
Good Afternoon Bill did you have a chance to take a look at the how to for configuring Windows domain controller (to enable Tomcat to support Windows authentication) http://tomcat.apache.org/tomcat-7.0-doc/windows-auth-howto.html#Built-in_Tomcat_support Does this help? Martin __ Please do not alter or otherwise disrupt this communication..Thank You From: william.b...@willis.com To: users@tomcat.apache.org Subject: Windows Service Security Date: Wed, 31 Oct 2012 16:01:08 + We are running Tomcat 7.0.29 on Windows 2008 R2 Service Pack 1. My question is this, the documentation specifically states, For optimal security, the service should be run as a separate user, with reduced permissions (see the Windows Services administration tool and its documentation). I am unable to find this Windows Services administration tool documentation; I have looked on the Wiki, the How-to's, and the all-knowing Google. However, my specific question is still unclear. I do NOT want this service running as SYSTEM. Can the Tomcat service run as a standard user, does the user need elevated permissions, or does it require local administrator access? Thank you very much Bill __ For information pertaining to Willis' email confidentiality and monitoring policy, usage restrictions, or for specific company registration and regulatory status information, please visit http://www.willis.com/email_trailer.aspx We are now able to offer our clients an encrypted email capability for secure communication purposes. If you wish to take advantage of this service or learn more about it, please let me know or contact your Client Advocate for full details. ~W67897 __
Re: Windows Service Security
Martin Gainty wrote: Good Afternoon Bill did you have a chance to take a look at the how to for configuring Windows domain controller (to enable Tomcat to support Windows authentication) http://tomcat.apache.org/tomcat-7.0-doc/windows-auth-howto.html#Built-in_Tomcat_support Does this help? Probably not at all, except in utterly confusing the OP, if he is not familiar with this list. He's not asking about authenticating Tomcat users. He's asking about running Tomcat as a normal Windows user, as opposed to LocalSystem e.g. Bill, - create a local user, e.g. tomcat - stop Tomcat - use whatever path the Microsoft geniuses have invented this week to reach the Services applet - search for the Apache Tomcat Service - right click on it and select Settings or Properties (ditto) - in the tab Login as (or ditto), change the account to the one you just created - before you restart Tomcat, make sure that all it's files/directories can be read/written by this user - then restart Tomcat As long as the Tomcat process (and any of its webapps) does not need any Windows network resources (network shares or printers or the like), you'll be fine. If you need any of these, then you'll have to use a Domain user instead of a local one. (Note that Tomcat probably does not need any of those, since it was running fine as LocalSystem and that user does not have access to Windows network resources either). - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Windows Service Security
Bill, - create a local user, e.g. tomcat - stop Tomcat - use whatever path the Microsoft geniuses have invented this week to reach the Services applet - search for the Apache Tomcat Service - right click on it and select Settings or Properties (ditto) - in the tab Login as (or ditto), change the account to the one you just created - before you restart Tomcat, make sure that all it's files/directories can be read/written by this user - then restart Tomcat As long as the Tomcat process (and any of its webapps) does not need any Windows network resources (network shares or printers or the like), you'll be fine. If you need any of these, then you'll have to use a Domain user instead of a local one. (Note that Tomcat probably does not need any of those, since it was running fine as LocalSystem and that user does not have access to Windows network resources either). Or you can use one of the two built in accounts in Windows 2008 (and possibly Windows 2003) : Local Service and Network Service. From what I have seen, these two accounts are simple users on the computer (with some extended right for accessing network share for Network Service). They have no administratives right on the system, so you have to allow them read or write access on the different folder where tomcat might read or write. Documentation for these accounts can be found here : http://msdn.microsoft.com/en-us/library/windows/desktop/ms686005(v=vs.85).aspx
Re: Windows Service Security
Cédric Couralet wrote: Bill, - create a local user, e.g. tomcat - stop Tomcat - use whatever path the Microsoft geniuses have invented this week to reach the Services applet - search for the Apache Tomcat Service - right click on it and select Settings or Properties (ditto) - in the tab Login as (or ditto), change the account to the one you just created - before you restart Tomcat, make sure that all it's files/directories can be read/written by this user - then restart Tomcat As long as the Tomcat process (and any of its webapps) does not need any Windows network resources (network shares or printers or the like), you'll be fine. If you need any of these, then you'll have to use a Domain user instead of a local one. (Note that Tomcat probably does not need any of those, since it was running fine as LocalSystem and that user does not have access to Windows network resources either). Or you can use one of the two built in accounts in Windows 2008 (and possibly Windows 2003) : Local Service and Network Service. From what I have seen, these two accounts are simple users on the computer (with some extended right for accessing network share for Network Service). They have no administratives right on the system, so you have to allow them read or write access on the different folder where tomcat might read or write. Documentation for these accounts can be found here : http://msdn.microsoft.com/en-us/library/windows/desktop/ms686005(v=vs.85).aspx Maybe as a suggestion for the people who make the installers for Tomcat/Windows ? - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Windows Service Security
Maybe as a suggestion for the people who make the installers for Tomcat/Windows ? I'm not sure I understand (you'll have to excuse my poor understanding of english nuance :) ) My reply was not a suggestion, but it would be great if the installer could provide the option. I never looked how the installer was made so i do not know if it is possible. -- Cédric Couralet
