"cd" <No****@noemail.nospam> wrote:
Is there a specific process or permissions that must be granted to get a .NET
(framework 1.4) Window Service to run properly on a Windows 2003 Server?
I built a Windows Service to start two local programs (Putty and Pageant)
located on a Win 2003 Server. The service installs but doesn't start the
Putty / Pageant programs properly when using any user ID except my own. Why
will it work with my User ID? I install the Windows Service on a Win 2000
machine and the service works fine with the local administrator account I
setup. I set the same user on the Win 2003 Server and the service doesn't
start the programs prooperly. I know there are a bunch of variables between
the 2 operating systems and progams. Most of what I have found is Win 2003
needs permissions granted to certain functions and no longer grants them out
of the box. I'm trying to find out what those permissions are and the
differences.
thank you,
Your best bet is to create an special account for your
service and the programs it spawns. You really shouldn't be
running a service with the administrators account.
- Enable security auditing on the machine.
- Create a special (unprivileged) account for your service.
- Test the programs that the service spawns under that
account. Security auditing should indicate the missing
privileges. Add each privilege in turn.
- Not all problems are related to privileges, sometimes its
an issue with the Discretionary Access Control Lists (DACL,
or sometimes even just ACL). For that you'll have to get and
install FileMon (for file accesses) and RegMon (for registry
accesses) - that should help you identify the problem
file(s) and registry entries.
- Once your programs run fine set the service up to use that
account. Depending on "how" you do things in your service
you may need to add further privileges of tweak some more
File/Registry ACLs.
- Once you got everything running, shutdown FileMon, RegMon
and disable Security Auditing (or set it to a more suitable
configuration). DOCUMENT the privileges and ACL changes
needed to make it work for the next administrator to come
along.
- In the future develop under an account that is set up
according to the least privilege principle - that way you
will be alerted early to any problems that third party
components or your own code is causing.
How To Enable and Apply Security Auditing in Windows 2000
http://support.microsoft.com/default...b;en-us;300549
(Shouldn't be too different for 2003)
Filemon
http://www.sysinternals.com/ntw2k/source/filemon.shtml
RegMon
http://www.sysinternals.com/ntw2k/source/regmon.shtml
Defend Your Code with Top Ten Security Tips Every Developer
Must Know
http://msdn.microsoft.com/msdnmag/is...s/default.aspx
Developing Software in Visual Studio .NET with
Non-Administrative Privileges
http://msdn.microsoft.com/library/de...privileges.asp
Secure Coding Practices: Running with Least Privileges in
Windows
http://www.codeproject.com/tips/runas.asp
How To: Secure Your Developer Workstation
http://msdn.microsoft.com/security/s...htworkstat.asp
The Challenge of Least Privilege
http://msdn.microsoft.com/library/de...re06112002.asp