Connect. Communicate. Collaborate. Securely.

Home » Kerio User Forums » Kerio Connect » KMS / restricted rights on Windows
  •  
Philipp14

Messages: 49
Karma: 0
Send a private message to this user
Hi,

I think we agree that for security reasons it is very bad to have a mail server run with administrative rights.
So I created a windows user named kms, set "full rights" to this user in the kerio data store and archive folders (and subfolders), and even to the kerio program folder (mmhh :-/ ).
Finally I set the kms service to log on as that user kms.

When I start kms, the permission for kms to mailserver.cfg is gone, the file is empty, and kms cannot read it.

I wounder what is happening here.

Any experiences?


Thanks & greetings from Vienna
Philipp
  •  
Philipp14

Messages: 49
Karma: 0
Send a private message to this user
Sorry for bothering you again - perhaps my question was too complicated (or too stupid?)

I thought that running a mail server like KMS with lower privileges than administrator was quite a basic concern
- is there really noone who has tried this?

(Or are my thoughts completely weird?)

Kind regards,
Philipp
  •  
sedell

Messages: 1168
Karma: 1
Send a private message to this user
Don't know what you're talking about, really. My Kerio MailServer service runs as the local system account, and that's not something I set.

The other issue is where you're headed with it doesn't seem to make a lot of sense. If it were merely a directory access issue, you wouldn't need an administrative account to run under as it's a simple matter to change directory security. There would be steps to set that up for the mail store, or the installer could do it for you. There's a lot more than directory security that make up administrative rights.

Scott
  •  
jaikudo

Messages: 83
Karma: 0
Send a private message to this user
philipp<_a.t_>prause.co.at wrote on Mon, 07 July 2008 10:42


I thought that running a mail server like KMS with lower privileges than administrator was quite a basic concern
- is there really noone who has tried this?

(Or are my thoughts completely weird?)



My guess is that it is mostly the Linux users who try to do this. I don't know if they have any success.

Most people will use a dedicated machine for KMS and let it run as Administrator or root on the grounds that it is the only important service on the machine. Even so, running with lower privileges seems a perfectly reasonable thing to do.

My thoughts are that you will need to give the limited user access to more than just the store and the archive folders. The same service serves the admin console so it will need access to all the config files. Make sure that the top level of the Kerio hierarchy is modifiable by the limited user. Don't try to set permissions on config files individually. It may be that these files get recreated from scratch when they are edited and lose their permissions. Make sure that their folder is modifiable.

[Updated on: Mon, 07 July 2008 19:21]

  •  
Philipp14

Messages: 49
Karma: 0
Send a private message to this user
Thanks for your constructive reply, jaikudo.

(Some windows guys, not only in forums, seem to feel offended when confronted with the fact that there might be errors in every complex program - the linux guys seem more realistic in that respect Wink

I also granted the kms user full access rights to the whole kerio program folder and everything below - thats what I felt should be sufficient.
Yes, the mailserver.cfg indeed seems to be recreated upon startup of KMS, and strangely it does not inherit the permissions of the folder. Thats why my KMS seems to kind of lock itself out.

Maybe that was because I used the systray icon to start KMS, but I am quite sure that I also tried to start KMS via the windows administration console. I am on holiday now, but as it seems I need to further dig into this...

Kind regards
Philipp
Previous Topic: Perfecting Spam Filtering
Next Topic: strange notification
Goto Forum:
  


Disclaimer:
Kerio discussion forums are intended for open communication between forum members and may contain information and material posted by members which may be useful in learning about Kerio products. The discussion forums are not intended to provide technical support for any specific product. Any information implied or expressed in the discussion forums is that of the posting member. Kerio is in no way responsible for the information posted in the forums, or its accuracy. Kerio employees may participate in the discussions, but their postings do not represent an offical position of the company on any issues raised or discussed. Kerio reserves the right to monitor and maintain the forums to promote free and accurate exchange of information.

Current Time: Thu Nov 23 13:53:27 CET 2017

Total time taken to generate the page: 0.00384 seconds
.:: Contact :: Home ::.
Powered by: FUDforum 3.0.4.