Securing your Windows Service installation
User accounts concepts
On Windows you can secure your box/environment in same manner as on *nix, by using user accounts (this applies only to NT family, so Win9x/WinME users are out of luck).
Although as classic Windows user, you may think that you are only sole user of the computer, it is not true. On the contrary, in fact your NT system is a true multiuser operating system, just like any OS from *nix family.
Every time your computer runs, there are several users logged in besides you. Majority (almost 90%) of the security issues (viruses, malware, spyware) you are experiencing during your daily computer use, are caused by the simple fact, that by default, your user account is configured to run in Administrator mode out of the box (that is equivalent running as root or superuser on *nix boxes). Such default is really stupid. Why is that, you may ask, that your system is open to anyone to tamper with?
The only reason are broken Windows applications, really. Let's face it, most of the Windows programs are of dubious quality, and the developers are not very bright. It's a lazy bunch, used to being able to write into the registry and all over your system, from the times of MS-DOS and Windows 95.
What is worse, sometimes even own Microsoft employees from some of their divisions belong to these losers. Thus to avoid support calls, your system allows everything to everyone. Still, by setting up your daily account as Limited User Access account (LUA), you can usually avoid many security hassles.
However thorough securing of your box is out of the scope of this article. Luckily, you can find plenty of information how to do so using google (just be prepared that many Windows programs are broken and if you use them, you may experience some issues, so called LUA Bugs). I encourage you strongly to do so.
Here is most basic outline:
- setup password for your Administrator account(*nix root equivalent) and store it written in secure location, in case of system wide upgrades or software installation.
- create new Limited User account for your daily work, or remove your current account from Administrators group, or use "Control Panel/Users/Limited User" option and protect it with password if necessary.
!!! Disclaimer !!! Misuse of permissions and not understanding concept security rights can have devastating effects and if you are not doing your homework, especially first time, you can easily lock yourself out from the computer, so be careful!
Let's assume you have gained all the necessary knowledge, and you setup your Administrator with password and you do your daily work as Limited User (preferably with password too). You might not be aware of the fact that you can setup your FZS service to login as Limited User too. This minimizes the impact on your computer if your FTP server service is compromised. As was mentioned at beginning of this article at any time multiple special users are logged to your machine.
These are:
- SYSTEM - nameless and passwordless local user in whose context most services and base OS processes run
- NetworkService - nameless and passwordless user in whose context some of the network related services run
By default SYSTEM user is most privileged user on the machine. This is required for it, to be able to do its work. You cannot login as this user. It has access to any part of the computer. By default any system service, even your FZS service runs in the context of this user.
NetworkService is less privileged to minimize impact if network service is compromised. You could minimize FZS privileges by telling it to login as NetworkService, but even better is to create special, limited account just for FZS.
Configuration
Make sure you are logged in as Administrator.
Add filezilla user
- press «WINDOWS» + «R»; "Run" dialog appears
- type in "lusrmgr.msc" and hit «ENTER»; "Local Users and Groups" MMC Console appears
- navigate to "Users" folder, right click to white space and select "New User" from popup menu; "New User" dialog appears.
- fill-in the dialog like this:
- user name "filezilla"
- type in password (this is required)
- uncheck "User must change password at next logon",
- check "Password never expires"
- check "User cannot change password"
- uncheck "Account is disabled"
- click "Create"; "filezilla" user is created
- right click "filezilla" user and select "Properties"; "Properties" dialog appears
- double check on the "Member Of" that only user group this account belongs to, is "Users"
- click "OK"; dialog closes
- close "Local Users and Groups" window
Change FileZilla Server Service logon
- press «WINDOWS» + «R»; "Run" dialog appears
- type in "services.msc" and hit «ENTER»; "Services" MMC Console appears
- locate "FileZilla Server FTP server" service and double click; properties dialog appears
- click "Stop" to stop service if running
- switch to "Log On" tab and set following:
- select "This account"
- into the account field type in ".\filezilla"
- type in both passwords defined in previous phase.
- click "OK" but DO NOT START the service (as it will fail and will be unkillable unless you use special tools)
OK, got some more interesting error reorpts:Warning: curl_setopt() [function.curl-setopt]: CURLPROTO_FILE cannot be activated when in safe_mode or an open_basedir is set in /home/mhadmin/domains/madhatter.ca/public_html/wp-content/plugins/wp-stats-dashboard/classes/util/WPSDUtils.php on line 502Warning: curl_setopt() [function.curl-setopt]: CURLPROTO_FILE cannot be activated when in safe_mode or an open_basedir is set in /home/mhadmin/domains/madhatter.ca/public_html/wp-content/plugins/wp-stats-dashboard/classes/util/WPSDUtils.php on line 502Warning: curl_setopt() [function.curl-setopt]: CURLPROTO_FILE cannot be activated when in safe_mode or an open_basedir is set in /home/mhadmin/domains/madhatter.ca/public_html/wp-content/plugins/wp-stats-dashboard/classes/util/metrics/WPSDWordPress.php on line 144Anyone have any ideas?Wayne
Troubleshooting
- 1. I set logon account for FZS service to "filezilla" and started it but forgot to set permissions, now I can not connect admin interface and I can not stop it!
- FZS needs write access to "FileZilla Server.xml" where server settings are stored, if it's unwritable it's stuck in infinite loop and doesn't respond to "STOP" command. To kill such service invoke Task Manager and kill it manually or use Sysinternals Process Explorer. You need Administrator rights to kill the service.
- 2. Service starts I am unable to create SSL (FTPS/FTPES) connection!
- FZS needs read access to certificate files otherwise it sends empty strings/garbage as SSL certificates. Make sure the certificate files are readable by "filezilla" account by checking it's presence in the user list of the security tab for each certificate file used.
- 3. I get access denied errors on uploading and file deletion although I have set Write/Delete right in FileZilla Server Admin interface properties!
- FZS needs OS "Write/Modify" access to upload files and create directories and "Full Control" to delete them, so make sure you assigned those rights to "filezilla" account for your upload directories.
- 4. I setup everything as mentioned here but FZS service still fails to start!
- There is some access rights issue, you can trace it with Process Monitor from Sysinternals, but that is not for the faint-hearts. You can always revert to SYSTEM account by selecting "Local System account" in service properties "Log On" tab. Don't forget to kill the service if it doesn't respond to "STOP" command before restarting.
Tips & Tricks
- You can script setting up permissions using CACLS, XCACLS or SetACL into the bat file.
- With Secondary Logon (Run As...) service you can execute commands as administrator even from LUA account.
- You can use suDown to achieve LUA with Administrator account.
- Windows XP Home, "Security" tab cannot be enabled by default, but you can install update to enable it.
Yeah, if you are not comfortable with just bnakicg up your My Documents folder, then you can pay mozy a fee for unlimited storage and they can backup your whole computer. Note that the initial backup will take a while. As I recall, it took several *days* to get my initial backup done, so plan on initiating that on a Friday and let it run over the whole weekend. You can use your computer during the backup, but it is a bit painful. Just don't turn it off.As far as bluehost, they backup the files in your account, but not your database (for those following along, the database is a special way that wordpress stores your posts, comments, pictures, etc so it can get access to them easily. What makes it special here is that it is not stored as simple files in your account). So that means, they are bnakicg up *part* of your wordpress site. Your backup wordpress plugin that you mentioned (which one are you using?) will backup your wordpress database. Bonus points to you for using the term SQL which is the type of database that wordpress uses. So bottom line: you seem to have everything covered with no redundancy!That reminds me: I need to get my wordpress databases backed up! Yikes.