Server 2003 Standard SP1

Forum Moderators: open

Message Too Old, No Replies

Server 2003 Standard SP1

Are NETWORK SERVICE permissions really needed?

GaryK

5:19 pm on Jul 5, 2006 (gmt 0)

I usually hang out in the Search Engine Spider Identification forum so please pardon me for barging in here to ask a question.

I have three dedicated servers and a part-time system administrator to help me manage everything.

My sysadmin insists on giving NETWORK SERVICE: Read & Execute, List Folder Contents and Read permissions for the root websites folder and all sub-folders that hold my websites.

There are only a few files amongst hundreds of thousands of files that really need those permissions.

What's everyone's take on how to handle NETWORK SERVICE permissions? Apply it to everything or only apply it to the files/folders that really need it? I know a blanket application is easier but is it inherently more risky? It's the Read & Execute permission that has me most concerned.

Thanks in advance for any advice.

TheNige

4:05 am on Jul 7, 2006 (gmt 0)

Well, for the Execute permissions, there are two levels "Scripts Only" and "Scripts and Executables". If you will be using ASP then you will need to have at least "Scripts Only" for the execute permissions.

The one that I would not want to give is "List Folder Contents", which basically lets anyone see what is in your directories.

Network Service will need access to these folders because that is the account that the web server IIS runs under in Windows 2003.

aspdaddy

6:27 pm on Jul 7, 2006 (gmt 0)

I disable all those built in accounts if possible, there all potential back doors. Then when the backup and UPS stop working I enable some again :)

Best bet is follow a hardening guide & run baseline security analyser and see if it marks it as a vunerability.

GaryK

6:45 pm on Jul 7, 2006 (gmt 0)

Then when the backup and UPS stop working I enable some again!

I have the same sort of problem with the firewall. It's a never ending source of bemusement to my sysadmin who loves to tease me about it. ;)

Best bet is follow a hardening guide & run baseline security analyser

My hardening guide is basically don't give any object permissions it doesn't absolutely need. Hence the source of the conflict with my sysadmin. :)

Thanks for your advice aspdaddy. My sysadmin and I need to have a chat about who asks, how high, when I say, jump! ;)

aspdaddy

10:54 am on Jul 9, 2006 (gmt 0)

I have the exact same issues with sysadmins. When I first published a server on the www, I was so paranoid I did hacking courses and follwoed all the hardening guides etc and maybe became a little overly obesessed with security :)

Now the sys admins have a laugh and call the servers fort knox, and from time to time things dont work because they atre so locked down.

The problem with most sysadmins is they are so used to deploying file and internet gateways, rather than web application servers. And so used to making things connect and work like remote access rather than first securing the services.

Things like allowing outbound web access, enablinmg dhcp and RDP ports are perfectly normal for them, they think its strange to disable them.

Im yet to find a good sys admin when it comes to hardening and deploying windows database & web servers. You would think M$ would develop a template.