Create a local account for running the service
Submitted by chris on January 18, 2006 - 14:37. Apache Install
You should first get Apache working running the service under "Local System"
and then switch to this more restricted account. If you are trying to
troubleshoot permission issues go back to running the service under "Local
System" to see if it works.
When testing out new products it can also help to revert back to "Local System", just to make sure you are not have permission issues.
1) Create a normal domain user account. Apache.org seems to say you want a domain account, I do not think at this point it is required. A local account seems to work just fine.
2) Grant the newly-created user the privileges:
Log on as a service (Windows will do this for you when you set the service account).
Act as part of the operating system (might be able to skip this not sure ?)
Using the W2K3 resource kit tool (see download link following) add the privilege like so:
ntrights +r SeTcbPrivilege -u Apache220 (Apache220 is the local account I created).
Note:
To remove the privilege:
ntrights -r SeTcbPrivilege -u Apache220
3) Make the local account a member of the "Users" group.
This is a recommendation from Apache.org, but it could probably be optimized (less permissions).
4) Grant the account read and execute (RX) rights to all document and script folders (htdocs and cgi-bin for example).
Skip setting on the cgi-bin folder until better understanding.
5) Grant the account change (RWXD) rights to the Apache logs directory.
6)Grant the account read and execute (RX) rights to the Apache.exe binary executable. This is the main compiled exe in the folder "bin". Sometimes also called httpd.exe (HTTP DEAMON?).
I gave RX to the folder containing httpd.exe.
7) I gave permissions to this user on
C: System drive root only (This folder only) Might be optional
D: The drive housing Apache (This folder only) Might be required
8) Looks like the account also need at least
D:\Apache220 (this folder only Read/List)
Finally decided to give the user R&X to the folder d:\apache220
Note from Apache.org:
It is usually a good practice to grant the user the Apache service runs as read and execute (RX) access to the whole Apache2 directory, except the logs subdirectory, where the user has to have at least change (RWXD) rights.
Windows Server 2003 Resource Kit Tools
Ref: http://httpd.apache.org/docs/2.2/platform/windows.html
When testing out new products it can also help to revert back to "Local System", just to make sure you are not have permission issues.
1) Create a normal domain user account. Apache.org seems to say you want a domain account, I do not think at this point it is required. A local account seems to work just fine.
2) Grant the newly-created user the privileges:
Log on as a service (Windows will do this for you when you set the service account).
Act as part of the operating system (might be able to skip this not sure ?)
Using the W2K3 resource kit tool (see download link following) add the privilege like so:
ntrights +r SeTcbPrivilege -u Apache220 (Apache220 is the local account I created).
Note:
To remove the privilege:
ntrights -r SeTcbPrivilege -u Apache220
3) Make the local account a member of the "Users" group.
This is a recommendation from Apache.org, but it could probably be optimized (less permissions).
4) Grant the account read and execute (RX) rights to all document and script folders (htdocs and cgi-bin for example).
Skip setting on the cgi-bin folder until better understanding.
5) Grant the account change (RWXD) rights to the Apache logs directory.
6)Grant the account read and execute (RX) rights to the Apache.exe binary executable. This is the main compiled exe in the folder "bin". Sometimes also called httpd.exe (HTTP DEAMON?).
I gave RX to the folder containing httpd.exe.
7) I gave permissions to this user on
C: System drive root only (This folder only) Might be optional
D: The drive housing Apache (This folder only) Might be required
8) Looks like the account also need at least
D:\Apache220 (this folder only Read/List)
Finally decided to give the user R&X to the folder d:\apache220
Note from Apache.org:
It is usually a good practice to grant the user the Apache service runs as read and execute (RX) access to the whole Apache2 directory, except the logs subdirectory, where the user has to have at least change (RWXD) rights.
Windows Server 2003 Resource Kit Tools
Ref: http://httpd.apache.org/docs/2.2/platform/windows.html
| Attachment | Size |
|---|---|
| rktools.exe | 11.77 MB |