Securing your Windows Service installation: Difference between revisions

From FileZilla Wiki
Jump to navigationJump to search
(New page: == User accounts concepts == On Windows you can secure your box/environment in same manner as on *nix, by using user accounts (this applies only to NT family, so Win9x/WinME users are out...)
 
m (Reverted edits by 2600:387:2:803:0:0:0:72 (talk) to last revision by CodeSquid)
Tag: Rollback
 
(125 intermediate revisions by 68 users not shown)
Line 1: Line 1:
== User accounts concepts ==
== User accounts concepts ==


On Windows you can secure your box/environment in same manner as on *nix, by using user accounts (this applies only to NT family, so Win9x/WinME users are out of luck).
On any modern versions of a Windows operating system you can secure your system in same manner as you can on most *nix systems, by using unique user accounts and file system permissions. Modern Windows operating systems are also all capable of running with multiple user accounts logged in simultaneously, again, just like most *nix systems.


Although as classic Windows user, you may think that you are only sole user of the computer, it is not true. On the contrary, in fact your NT system is true multiuser operating system, just like any OS from *nix family.
Every time a Windows system runs, there may be other user accounts logged in besides the account of the user that is accessing the console of the system. This is commonly the case when background programs need to be run in a particular security context. Desktop versions of Windows provided to consumers are typically configured to make the account of the first person to use a newly installed system an admin level account. This can make the system more vulnerable to security issues if that user of the system is not well versed proper security techniques and practices. This is no different than *nix users choosing to use the root account for their daily activities and as their primary login. You can setup Windows user accounts to not be admin level accounts and this will significantly help with the process of securing the operating system and Filezilla.  
Every time your computer runs, there are several users logged in besides you. Majority (almost 90%) of the security issues (viruses, malware, spyware) you are experiencing during your daily computer use, are caused by the simple fact, that by default, your user account is configured to run in Administrator mode out of the box (that is equivalent running as root or superuser on *nix boxes).
Such default is really stupid. Why is that, you may ask, that your system is open to anyone to tamper with?
The only reason are broken Windows applications, really. Let's face it, most of the Windows programs has dubious quality, and the developers are not very bright. It's a lazy bunch, used to be able to write into the registry and all over your system, from the times of MS-DOS and Windows 95.  
What is worse, sometimes even own Microsoft employees from some of their divisions belong to these losers. Thus to avoid support calls, your system allows everything to everyone.
Still, by setting up your daily account as Limited User Access account (LUA), you can usually avoid many security hassles.
However thorough securing of your box is out of the scope of this article. Luckily, you can find plenty of information how to do so using google (just be prepared that many Windows programs are broken and if you use them, you may experience some issues, so called LUA Bugs). I encourage you strongly to do so.  


Here is most basic outline:
While securing of a Windows system is out of the scope of this article there are a few suggestions provided:
# setup password for your Administrator account(*nix root equivalent) and store it written in secure location, in case of system wide upgrades or software installation.
# create new Limited User account for your daily work, or remove your current account from Administrators group, or use "Control Panel/Users/Limited User" option and protect it with password if necessary.


!!! Disclaimer !!! Misuse of permissions and not understanding concept security rights can have devastating effects and if you are not doing your homework, especially first time you can easily lock yourself out from the computer, so be careful!
- Set a password for your Administrator account(*nix root equivalent) and store it written in secure location, in case of future system wide upgrades or software installation needs.


Let's assume you have gained all the necessary knowledge, and you set up your Administrator with password and you do your daily work as Limited User (preferably with password too).
- Create new Limited User account for your daily work, or remove your current account from Administrators group, or use "Control Panel/Users/Limited User" option and protect it with password if necessary.
You might not be aware of the fact that you can setup your FZS service to login as Limited User too.
This minimizes the impact on your computer if your FTP server service is compromised.
As was mentioned at beginning of this article at any time multiple special users are logged to your machine.


These are:
Reminder: Incorrect use of accounts and permissions and not understanding Windows security concepts can have devastating effects. Please make sure you understand the changes you are making to accounts on any Windows systems before attempting any security related changes.
* SYSTEM - nameless and passwordless local user in whose context most services and base OS processes run
* NetworkService - nameless and passwordless user in whose context some of the network related services run


By default SYSTEM user is most privileged user on the machine. This is required for it, to be able to do its work. You cannot login as this user. It has access to any part of the computer. By default any system service, even your FZS service runs in the context of this user.
== Configuration ==
NetworkService is less privileged to minimize impact of compromising network service. You could minimize FZS privileges by telling it to login as NetworkService, but even better is to create special, limited account just for FZS.
To secure your Filezilla server we will assume you wish to run the Filezilla server program as a user with limited permissions on the Windows system. This will limit the potential damage that could be caused by someone compromising the Filezilla server program or a mistake made to file system permissions in parts of the system used by Filezilla.
 
You will need to create a user level account on the Windows system for FileZilla Server to run under. This account must NOT be a member of the Administrators group in Windows. For basic security requirements it should only be assigned to the Users group in Windows. If you are more security conscious then you should create a dedicated security group for use with Filezilla and assign the new user account to that group instead of Users. If you do this you may need to grant additional permissions within the operating system to that group to allow for proper operation of Filezilla. This article does not discuss what exact additional permissions may be required.


== Configuration ==
You will then need to configure your Filezilla Server FTP server service to use the new user level account you have created. To do this you will to go into the Services control panel and locate the service named "Filezilla Server FTP server". Edit the service properties and go the Log On tab. On this tab you change from the Log on as option from Local System account (the default) to "This account". You will then select the user level account you have created and enter the password you assigned to the account twice. Once you click OK you may be notified that this account has been granted "Logon as a service" rights. This is expected and required for the account to work properly.


Make sure you are logged in as '''Administrator'''.
Make sure you are logged in as '''Administrator'''.


=== Add filezilla user ===
=== Add filezilla user to Windows ===
# press '''«'''WINDOWS'''»''' + '''«''';R'''«'''; "Run" dialog appears
In Windows Professional
# press '''«'''WINDOWS'''»''' + '''«'''R'''»'''; "Run" dialog appears
# type in "lusrmgr.msc" and hit '''«'''ENTER'''»'''; "Local Users and Groups" MMC Console appears
# type in "lusrmgr.msc" and hit '''«'''ENTER'''»'''; "Local Users and Groups" MMC Console appears
# navigate to "Users" folder, right click to white space and select "New User" from popup menu; "New User" dialog appears.
# navigate to "Users" folder, right click to white space and select "New User" from popup menu; "New User" dialog appears.
Line 49: Line 39:
# click "OK"; dialog closes
# click "OK"; dialog closes
# close "Local Users and Groups" window
# close "Local Users and Groups" window
In Windows Home Edition
#press '''«'''WINDOWS'''»''' + '''«'''R'''»'''; "Run" dialog appears
#type in "netplwiz" and hit «ENTER»; the "User Accounts" window appears
#click "Add..."; a user creation blue wizard appears
#click "Access without a Microsoft Account"
#click the "Local Account" button
#add a new user, filling in the required field:
#*user name "filezilla"
#*type in password (this is required)
#*type in password again (this is required)
#*fill the password hint with some random characters
#click "Next"; "filezilla" user is created
#click "End"; "filezilla" uesr is listed together with the other user accounts
#close "User Accounts"
Or, '''alternatively''', in any Windows Edition
don't do what follows, if you have already created a "filezilla" user with one of the procedures above. You may choose the following procedure as an alternative of the two previous, because it is safer: putting "filezilla" user in its' own group, is way better than adding it into the "Users" group.
#Copy and paste one by one the following commands, in a "CMD" window run as Administrator:
#*<code>net user filezilla * /add</code>; "filezilla" user is created in the "Users" group
#*when prompted, type a password for "filezilla" user (this is required)
#*<code>net localgroup filezilla-users /add</code>; "filezilla-users" group is created
#*<code>net localgroup filezilla-users filezilla /add</code>; "filezilla" user is added to "filezilla-users" group
#*<code>net localgroup users filezilla /delete</code>; "filezilla" user is deleted from "Users" group
Or, ''' alternatively'''. There is a mechanism for windows services to run in own isolated environment. For each installed service you can use its own SID based on its name. It is accesseble out the box. Then you setup service just specify 'nt service\servicename' in runas username section without specifying password. Filezilla install service with name 'filezilla-server' by default. You should use name 'nt service\filezilla-server' in this case. Then setting up acl permissions to the folders by 'prepare permissions' section described bellow you also should use 'nt service\filezilla-server' name. Caution: if service name changes SID changes too. In this case you should update permissions on the folders.
Also you should add 'nt service\filezilla-server' user in 'Local Policies\User Rights Assignment\Access this computer from the network' of security policy. Launch secpol.msc to access sec policy.
The server's settings in this case will be stored in %systemroot%\ServiceProfiles\filezilla-server\AppData\Local\filezilla-server. 'nt service\filezilla-server' should have all necessary permissions/ownership for files and folders.


=== Change FileZilla Server Service logon ===
=== Change FileZilla Server Service logon ===
# press '''&laquo;'''WINDOWS'''&raquo;''' + '''&laquo;''';R'''&laquo;'''; "Run" dialog appears
# press '''&laquo;'''WINDOWS'''&raquo;''' + '''&laquo;'''R'''&raquo;'''; "Run" dialog appears
# type in "services.msc" and hit '''&laquo;'''ENTER'''&raquo;'''; "Services" MMC Console appears
# type in "services.msc" and hit '''&laquo;'''ENTER'''&raquo;'''; "Services" MMC Console appears
# locate "FileZilla Server FTP server" service and double click; properties dialog appears
# locate "FileZilla Server FTP server" service and double click; properties dialog appears
Line 58: Line 78:
#* select "This account"
#* select "This account"
#* into the account field type in ".\filezilla"
#* into the account field type in ".\filezilla"
#* type in both passwords defined in previous phase
#* type in both passwords defined in previous phase.
# click "OK" but DO NOT START the service (as it will fail and will be unkillable)
# click "OK" but '''DO NOT START''' the service (as it will fail and will be unkillable unless you use special tools)


=== Prepare permissions ===
=== Prepare permissions ===
# with Windows Explorer navigate to "FileZilla Server" installation directory
# with Windows Explorer navigate to "FileZilla Server" installation directory
# locate "FileZilla Server.xml" file, service requires write permissions to this file
# locate "FileZilla Server.xml" file, service requires write permissions to this file
#* If you have "Simple File Sharing" enabled (no "Security" tab in file "Properties")
#* If you have "Simple File Sharing" enabled (no "Security" tab in file properties)
#*# clik "Tools" in Explorer menu, select "Folder options"; "Folder Options" dialog appears
#*# click "Tools" in Explorer menu, select "Folder options"; "Folder Options" dialog appears
#*# select "View" tab
#*# select "View" tab
#*# uncheck "Use simple file sharing (Recommended)"
#*# uncheck "Use simple file sharing (Recommended)"
#*# click OK
#*# click OK
# right click "FileZilla Server.xml" select "Properties"; "Properties" dialog appears
#* right click "FileZilla Server.xml" select "Properties"; "Properties" dialog appears
# select "Security" tab, click "Add" button; "Select User or Group dialog" appears
#*# select "Security" tab, click "Add" button; "Select User or Group" dialog appears
# type "filezilla" into "Enter object names to select" textbox
#*# type "filezilla" into "Enter object names to select" textbox
# click "OK"; "filezilla" user is added to permissions list
#*# click "OK"; "filezilla" user is added to permissions list
# select "filezilla" user and check "Write" in "Allow" column
#*# select "filezilla" user and check "Write" in "Allow" column
# click "OK"; permissions are now saved
#*# click "OK"; permissions are now saved
# if you use logging, set "Write" access to "Logs" folder too
# if you use logging, set "Write" access to "Logs" folder too
# if you upload to some folders set "Full Control" to each topmost writable folder you want to use, the changes are propagated to children
# if you upload to some folders set "Full Control" to each topmost writable folder you want to use, the changes are propagated to children
# if you use SSL, double check if both the SSL certificate file and private key file are readable by "Users" group or "filezilla" account, to not break the SSL connection
# if you use SSL, double check if both the SSL certificate file and private key file are readable by "filezilla" account, to not break the SSL connection
# if you want hide "Security" tab, enable "Simple File Sharing" back on
# if you want hide "Security" tab, enable "Simple File Sharing" back on
# switch to "Services" and start "FileZilla Server FTP server" service; it should run now in "filezilla" account context
# switch to back to "Services" console and start "FileZilla Server FTP server" service; it should run now in "filezilla" account context
# verify FTP and FTPS/FTPES connection and check uploading to writable directories
# verify FTP and FTPS/FTPES connection and check uploading to writable directories
# congratulation you have secured your FZS server!
# congratulations you have secured your FZS server!
# logout from Administrator account
# Windows Server >2012: Error 5: Access Denied -> your Filezilla User have to Access the "Filezilla server.exe" readable.
 
== Troubleshooting ==
:1.&nbsp; '''I set logon account for FZS service to "filezilla" and started it but forgot to set permissions, now I can not connect admin interface and I can not stop it!'''
:&nbsp;&nbsp;&nbsp;&nbsp; FZS needs write access to "FileZilla Server.xml" where server settings are stored, if it's unwritable it's stuck in infinite loop and doesn't respond to "STOP" command. To kill such service invoke Task Manager and kill it manually or use Sysinternals Process Explorer. You need Administrator rights to kill the service.
 
:2.&nbsp; '''Service starts I am unable to create SSL (FTPS/FTPES) connection!'''
:&nbsp;&nbsp;&nbsp;&nbsp; FZS needs read access to certificate files otherwise it sends empty strings/garbage as SSL certificates. Make sure the certificate files are readable by "filezilla" account by checking it's presence in the user list of the security tab for each certificate file used.
 
:3.&nbsp; '''I get access denied errors on uploading and file deletion although I have set Write/Delete right in FileZilla Server Admin interface properties!'''
:&nbsp;&nbsp;&nbsp;&nbsp; FZS needs OS "Write/Modify" access to upload files and create directories and "Full Control" to delete them, so make sure you assigned those rights to "filezilla" account for your upload directories.
 
:4.&nbsp; '''I setup everything as mentioned here but FZS service still fails to start!'''
:&nbsp;&nbsp;&nbsp;&nbsp; There is some access rights issue, you can trace it with Process Monitor from Sysinternals, but that is not for the faint-hearts. You can always revert to SYSTEM account by selecting "Local System account" in service properties "Log On" tab. Don't forget to kill the service if it doesn't respond to "STOP" command before restarting.
 
== Tips & Tricks ==
* You can script setting up permissions using CACLS, XCACLS or [http://setacl.sourceforge.net/ SetACL] into the bat file.
* With Secondary Logon (Run As...) service you can execute commands as administrator even from LUA account.
* You can use [http://sudown.sourceforge.net/ suDown] to achieve LUA with Administrator account.
* Windows XP Home, "Security" tab cannot be enabled by default, but you can install update to enable it.
 
== Conclusion ==
Advantages of this solution are obvious. Should there be vulnerability in FZS, only those files and folders can be manipulated to which FZS has write/delete rights. Rest of the computer is shielded from damage. To limit Denial Of Service attacks by filling disk where writable folders are, you can setup disk Quotas in Windows XP Pro and Windows 2003 Server. Moreover you will learn more about multi-user security principles.

Latest revision as of 07:45, 12 October 2023

User accounts concepts[edit]

On any modern versions of a Windows operating system you can secure your system in same manner as you can on most *nix systems, by using unique user accounts and file system permissions. Modern Windows operating systems are also all capable of running with multiple user accounts logged in simultaneously, again, just like most *nix systems.

Every time a Windows system runs, there may be other user accounts logged in besides the account of the user that is accessing the console of the system. This is commonly the case when background programs need to be run in a particular security context. Desktop versions of Windows provided to consumers are typically configured to make the account of the first person to use a newly installed system an admin level account. This can make the system more vulnerable to security issues if that user of the system is not well versed proper security techniques and practices. This is no different than *nix users choosing to use the root account for their daily activities and as their primary login. You can setup Windows user accounts to not be admin level accounts and this will significantly help with the process of securing the operating system and Filezilla.

While securing of a Windows system is out of the scope of this article there are a few suggestions provided:

- Set a password for your Administrator account(*nix root equivalent) and store it written in secure location, in case of future system wide upgrades or software installation needs.

- Create new Limited User account for your daily work, or remove your current account from Administrators group, or use "Control Panel/Users/Limited User" option and protect it with password if necessary.

Reminder: Incorrect use of accounts and permissions and not understanding Windows security concepts can have devastating effects. Please make sure you understand the changes you are making to accounts on any Windows systems before attempting any security related changes.

Configuration[edit]

To secure your Filezilla server we will assume you wish to run the Filezilla server program as a user with limited permissions on the Windows system. This will limit the potential damage that could be caused by someone compromising the Filezilla server program or a mistake made to file system permissions in parts of the system used by Filezilla.

You will need to create a user level account on the Windows system for FileZilla Server to run under. This account must NOT be a member of the Administrators group in Windows. For basic security requirements it should only be assigned to the Users group in Windows. If you are more security conscious then you should create a dedicated security group for use with Filezilla and assign the new user account to that group instead of Users. If you do this you may need to grant additional permissions within the operating system to that group to allow for proper operation of Filezilla. This article does not discuss what exact additional permissions may be required.

You will then need to configure your Filezilla Server FTP server service to use the new user level account you have created. To do this you will to go into the Services control panel and locate the service named "Filezilla Server FTP server". Edit the service properties and go the Log On tab. On this tab you change from the Log on as option from Local System account (the default) to "This account". You will then select the user level account you have created and enter the password you assigned to the account twice. Once you click OK you may be notified that this account has been granted "Logon as a service" rights. This is expected and required for the account to work properly.

Make sure you are logged in as Administrator.

Add filezilla user to Windows[edit]

In Windows Professional

  1. press «WINDOWS» + «R»; "Run" dialog appears
  2. type in "lusrmgr.msc" and hit «ENTER»; "Local Users and Groups" MMC Console appears
  3. navigate to "Users" folder, right click to white space and select "New User" from popup menu; "New User" dialog appears.
  4. fill-in the dialog like this:
    • user name "filezilla"
    • type in password (this is required)
    • uncheck "User must change password at next logon",
    • check "Password never expires"
    • check "User cannot change password"
    • uncheck "Account is disabled"
  5. click "Create"; "filezilla" user is created
  6. right click "filezilla" user and select "Properties"; "Properties" dialog appears
  7. double check on the "Member Of" that only user group this account belongs to, is "Users"
  8. click "OK"; dialog closes
  9. close "Local Users and Groups" window

In Windows Home Edition

  1. press «WINDOWS» + «R»; "Run" dialog appears
  2. type in "netplwiz" and hit «ENTER»; the "User Accounts" window appears
  3. click "Add..."; a user creation blue wizard appears
  4. click "Access without a Microsoft Account"
  5. click the "Local Account" button
  6. add a new user, filling in the required field:
    • user name "filezilla"
    • type in password (this is required)
    • type in password again (this is required)
    • fill the password hint with some random characters
  7. click "Next"; "filezilla" user is created
  8. click "End"; "filezilla" uesr is listed together with the other user accounts
  9. close "User Accounts"

Or, alternatively, in any Windows Edition

don't do what follows, if you have already created a "filezilla" user with one of the procedures above. You may choose the following procedure as an alternative of the two previous, because it is safer: putting "filezilla" user in its' own group, is way better than adding it into the "Users" group.

  1. Copy and paste one by one the following commands, in a "CMD" window run as Administrator:
    • net user filezilla * /add; "filezilla" user is created in the "Users" group
    • when prompted, type a password for "filezilla" user (this is required)
    • net localgroup filezilla-users /add; "filezilla-users" group is created
    • net localgroup filezilla-users filezilla /add; "filezilla" user is added to "filezilla-users" group
    • net localgroup users filezilla /delete; "filezilla" user is deleted from "Users" group

Or, alternatively. There is a mechanism for windows services to run in own isolated environment. For each installed service you can use its own SID based on its name. It is accesseble out the box. Then you setup service just specify 'nt service\servicename' in runas username section without specifying password. Filezilla install service with name 'filezilla-server' by default. You should use name 'nt service\filezilla-server' in this case. Then setting up acl permissions to the folders by 'prepare permissions' section described bellow you also should use 'nt service\filezilla-server' name. Caution: if service name changes SID changes too. In this case you should update permissions on the folders. Also you should add 'nt service\filezilla-server' user in 'Local Policies\User Rights Assignment\Access this computer from the network' of security policy. Launch secpol.msc to access sec policy. The server's settings in this case will be stored in %systemroot%\ServiceProfiles\filezilla-server\AppData\Local\filezilla-server. 'nt service\filezilla-server' should have all necessary permissions/ownership for files and folders.

Change FileZilla Server Service logon[edit]

  1. press «WINDOWS» + «R»; "Run" dialog appears
  2. type in "services.msc" and hit «ENTER»; "Services" MMC Console appears
  3. locate "FileZilla Server FTP server" service and double click; properties dialog appears
  4. click "Stop" to stop service if running
  5. switch to "Log On" tab and set following:
    • select "This account"
    • into the account field type in ".\filezilla"
    • type in both passwords defined in previous phase.
  6. click "OK" but DO NOT START the service (as it will fail and will be unkillable unless you use special tools)

Prepare permissions[edit]

  1. with Windows Explorer navigate to "FileZilla Server" installation directory
  2. locate "FileZilla Server.xml" file, service requires write permissions to this file
    • If you have "Simple File Sharing" enabled (no "Security" tab in file properties)
      1. click "Tools" in Explorer menu, select "Folder options"; "Folder Options" dialog appears
      2. select "View" tab
      3. uncheck "Use simple file sharing (Recommended)"
      4. click OK
    • right click "FileZilla Server.xml" select "Properties"; "Properties" dialog appears
      1. select "Security" tab, click "Add" button; "Select User or Group" dialog appears
      2. type "filezilla" into "Enter object names to select" textbox
      3. click "OK"; "filezilla" user is added to permissions list
      4. select "filezilla" user and check "Write" in "Allow" column
      5. click "OK"; permissions are now saved
  3. if you use logging, set "Write" access to "Logs" folder too
  4. if you upload to some folders set "Full Control" to each topmost writable folder you want to use, the changes are propagated to children
  5. if you use SSL, double check if both the SSL certificate file and private key file are readable by "filezilla" account, to not break the SSL connection
  6. if you want hide "Security" tab, enable "Simple File Sharing" back on
  7. switch to back to "Services" console and start "FileZilla Server FTP server" service; it should run now in "filezilla" account context
  8. verify FTP and FTPS/FTPES connection and check uploading to writable directories
  9. congratulations you have secured your FZS server!
  10. logout from Administrator account
  11. Windows Server >2012: Error 5: Access Denied -> your Filezilla User have to Access the "Filezilla server.exe" readable.

Troubleshooting[edit]

1.  I set logon account for FZS service to "filezilla" and started it but forgot to set permissions, now I can not connect admin interface and I can not stop it!
     FZS needs write access to "FileZilla Server.xml" where server settings are stored, if it's unwritable it's stuck in infinite loop and doesn't respond to "STOP" command. To kill such service invoke Task Manager and kill it manually or use Sysinternals Process Explorer. You need Administrator rights to kill the service.
2.  Service starts I am unable to create SSL (FTPS/FTPES) connection!
     FZS needs read access to certificate files otherwise it sends empty strings/garbage as SSL certificates. Make sure the certificate files are readable by "filezilla" account by checking it's presence in the user list of the security tab for each certificate file used.
3.  I get access denied errors on uploading and file deletion although I have set Write/Delete right in FileZilla Server Admin interface properties!
     FZS needs OS "Write/Modify" access to upload files and create directories and "Full Control" to delete them, so make sure you assigned those rights to "filezilla" account for your upload directories.
4.  I setup everything as mentioned here but FZS service still fails to start!
     There is some access rights issue, you can trace it with Process Monitor from Sysinternals, but that is not for the faint-hearts. You can always revert to SYSTEM account by selecting "Local System account" in service properties "Log On" tab. Don't forget to kill the service if it doesn't respond to "STOP" command before restarting.

Tips & Tricks[edit]

  • You can script setting up permissions using CACLS, XCACLS or SetACL into the bat file.
  • With Secondary Logon (Run As...) service you can execute commands as administrator even from LUA account.
  • You can use suDown to achieve LUA with Administrator account.
  • Windows XP Home, "Security" tab cannot be enabled by default, but you can install update to enable it.

Conclusion[edit]

Advantages of this solution are obvious. Should there be vulnerability in FZS, only those files and folders can be manipulated to which FZS has write/delete rights. Rest of the computer is shielded from damage. To limit Denial Of Service attacks by filling disk where writable folders are, you can setup disk Quotas in Windows XP Pro and Windows 2003 Server. Moreover you will learn more about multi-user security principles.