No takers? Somebody here must use Apache on windows...
On Thu, May 14, 2015 at 2:55 PM CE <bce...@gmail.com> wrote:
> Hi Everyone,
>
> This is my first time here, so if I'm doing this wrong please correct me
> so that I learn. (Be gentle.)
>
> I have a question about running Apache httpd 2.4.x on Windows Server 2008
> R2. I searched everywhere online for an answer and read the manuals, but
> the most info I got was that someone posed this question here 11 years ago
> and there was no reply. (Copied below.)
>
>
> The Apache 2.4 documentation recommends creating a new user for httpd that
> has "Log on as a service" AND "Act as part of the operating system" rights.
>
> My question is, why is "act as part of the operating system" needed? It is
> a very high risk permission.
>
> I ran Apache without this right and it seems to work fine. What feature
> needs it? I don't want the server to suddenly fail on me, but I also don't
> understand why it is "required." Help?
>
>
>
> ---- MORE DETAIL, IF YOU WANT --------
>
> The "Act as part of the operating system" permission is a high risk
> permission. Programs with this access can impersonate any user on the
> entire computer, thereby getting full access to any file. It is basically
> the Windows equivalent of root.
>
> My concern here is that setting read/write/execute permissions for the
> Apache user is effectively meaningless because of that capability. And more
> importantly, should the server get compromised for any reason (e.g., a
> client somehow convincing the httpd service to execute harmful code due to
> a configuration mistake), the attacker would be able to do literally
> anything if they impersonate as an Administrator.
>
> On Linux, Apache runs a service to bind to port 80 (or whichever) as root,
> but the web-serving sub-processes run as limited users, so this isn't an
> issue there. On IIS, the sites run as site specific users ("application
> pool" users), so even if the server/site is compromised, the attacker has
> no permissions to do anything beyond affect the specific site files.
>
> On Apache for Windows, it seems that the whole thing is run under the
> equivalent of root. I'm nervous do that. In fact, Microsoft specifically
> recommends AGAINST providing "Act as part of the operating system" to any
> users.
>
> Apache recommending a new user with the permission:
> https://httpd.apache.org/docs/2.4/platform/windows.html
>
> Microsoft recommending against it:
> https://msdn.microsoft.com/en-us/subscriptions/dn221957(v=ws.10).aspx
>
>
>
> ------- EMAIL I FOUND IN THE ARCHIVES THAT WAS NEVER ANSWERED ----
>
> (Can be seen online here:
> http://httpd.markmail.org/search/?q=%22act+as+part+of+the+operating+system%22+why#query:%22act%20as%20part%20of%20the%20operating%20system%22%20why+page:1+mid:v3nkvtddxoumjaoo+state:results
> )
>
> Jan 12, 2004
>
>
> Hey everyone,
>
> Have a question about the "User rights assignment" in windows. In the
> apache docs they recommend (when running apache as a service) to create a
> new user account for the apache service and to grant this new user "Log on
> as a service and Act as part of the operating system" priviledges. Our
> apache test server seems to run fine without "Act as part of the operating
> system". Why is this right needed? It seems to be more than necessary.
> Maybe we have the module that needs this right disabled. Can anyone see any
> reason to enable this right?
>
> Here is the apache doc that talks about this
> http://httpd.apache.org/docs-2.0/platform/windows.html#winsvc
>
> Here is the Microsoft description of *Act as part of the operating system*
>>
>> http://www.microsoft.com/technet/treeview/default.asp?url=/technet/prodtechnol/winxppro/proddocs/525.asp
>>
>> Thanks, Ryan
>> *Ryan Johnson Security Architect ESP Group *
>
>
