- Wed, Oct 2 2013 at 9:44 pm #15950Michael PietroforteKeymasterMember Points: 31,761Rank: 4
A reader asked in a comment on an article how to determine the file system permissions a third-party application needs. Here is the complete question:
One nagging question I have is if I have selected a Unique domain user account to run a service, how do I then go about determining what file system permissions a need to give to that account.
For instance, if I was to install a third-party tool (such as Jenkins or JIRA), I am guessing that I would first perform the installation (double clicking an exe or whatever) using my own account, and then assign an Unique domain user account (say JIRA-service-user) to run the service.
How can I then confidently assign the correct file system permissions to the JIRA-service-user to ensure that it functions correctly? Am I purely dependent on the documentation supplied by the third party tool, or is there some other means of determining correct permissions? Trial and error perhaps?
- Sun, Oct 6 2013 at 1:34 pm #16011Kyle BeckmanModeratorMember Points: 352Rank: 2
You could always use something like Process Monitor to watch the executables that are part of the application. I can see you running into a few problems: First off, if the application has a lot of executables, you could be monitoring for a long time. Second, you’ll have to run through every function that the application performs against the file system to see how it interacts. Both could be incredibly time consuming.
Honestly, this is most likely a ‘take it back to the vendor’ kind of thing. My experience has been that if the vendor doesn’t publish recommended permissions, some will just tell you to give the user “Full Control” or even make them an Admin on the local box. But, it is entirely possible they do have a document and it is just hard to find.
If they give you an answer you don’t like, or that doesn’t jive with your organizations policies, don’t hesitate to [nicely] call out the vendor on it. You may also want to consider asking the question in some kind of public forum so there can be a community discussion if the configuration they recommend is insecure.
- Sun, Oct 6 2013 at 7:44 pm #16012Michael PietroforteKeymasterMember Points: 31,761Rank: 4
Kyle, great tips! Thanks I made the same experiences with Process Monitor. Using this tool to determine the required folder permissions often only works if is a relatively simple application.
- Tue, Nov 5 2013 at 6:57 pm #16351Timothy WarnerModeratorMember Points: 620Rank: 2
An idea that just popped into my mind is perhaps you could enable file system auditing for that unique service account. Look for success and failure events. As long as the service account isn’t used for anything but to drive that particular application, you should be able to see where in the file system the app/service account needs to go.
Hope this helps,
- You must be logged in to reply to this topic.