Tagged: 

Viewing 3 reply threads
  • Author
    Posts
    • #15950
      Michael Pietroforte
      Keymaster
      Member Points: 31,761
      Author of the year 2018
      Rank: 4

      A reader asked in a comment on an article how to determine the file system permissions a third-party application needs. Here is the complete question:

      One nagging question I have is if I have selected a Unique domain user account to run a service, how do I then go about determining what file system permissions a need to give to that account.

      For instance, if I was to install a third-party tool (such as Jenkins or JIRA), I am guessing that I would first perform the installation (double clicking an exe or whatever) using my own account, and then assign an Unique domain user account (say JIRA-service-user) to run the service.

      How can I then confidently assign the correct file system permissions to the JIRA-service-user to ensure that it functions correctly? Am I purely dependent on the documentation supplied by the third party tool, or is there some other means of determining correct permissions? Trial and error perhaps?

    • #16011
      Kyle Beckman
      Moderator
      Member Points: 352
      Rank: 2

      You could always use something like Process Monitor to watch the executables that are part of the application.  I can see you running into a few problems:  First off, if the application has a lot of executables, you could be monitoring for a long time.  Second, you’ll have to run through every function that the application performs against the file system to see how it interacts.  Both could be incredibly time consuming.

      Honestly, this is most likely a ‘take it back to the vendor’ kind of thing.  My experience has been that if the vendor doesn’t publish recommended permissions, some will just tell you to give the user “Full Control” or even make them an Admin on the local box.  But, it is entirely possible they do have a document and it is just hard to find.

      If they give you an answer you don’t like, or that doesn’t jive with your organizations policies, don’t hesitate to [nicely] call out the vendor on it.  You may also want to consider asking the question in some kind of public forum so there can be a community discussion if the configuration they recommend is insecure.

    • #16012
      Michael Pietroforte
      Keymaster
      Member Points: 31,761
      Author of the year 2018
      Rank: 4

      Kyle, great tips! Thanks I made the same experiences with Process Monitor. Using this tool to determine the required folder permissions often only works if is a relatively simple application.

    • #16351
      Timothy Warner
      Moderator
      Member Points: 620
      Rank: 2

      An idea that just popped into my mind is perhaps you could enable file system auditing for that unique service account. Look for success and failure events. As long as the service account isn’t used for anything but to drive that particular application, you should be able to see where in the file system the app/service account needs to go.

      Hope this helps,

      Tim

Viewing 3 reply threads
  • You must be logged in to reply to this topic.
© 4sysops 2006 - 2021

CONTACT US

Please ask IT administration questions in the forums. Any other messages are welcome.

Sending

Log in with your credentials

or    

Forgot your details?

Create Account