You are viewing limited content. For full access, please sign in.

Question

Question

minimum NTFS permissions for Forms Routing Service

Forms
Updated February 5, 2016
asked on November 9, 2015

Our client wants to ensure minimum NTFS permissions assigned to the managed service account under which the Forms Routing Service will run.  The Forms webhelp on the installation only states the following:

 

The account that the Laserfiche Forms Application Pool and Routing Service use must have the right to create folders in the local file system.

 

I need to know the exact directories for which this account will need the right to create folders in the file system in order to deploy this to meet their security requirements.   Is that information available?

 

Thanks, Damon 

1 0

Replies

replied on December 29, 2015

This is what I've found is required for a service account's permissions and rights based on my testing for implementing a "least privilege installation" for Forms Routing Service:

  1. Rights on the machine in question to log on as a service (should be granted when the LOG ON AS value is set to the domain account
  2. NTFS full control to the program files folder (usually C:\Program Files\Laserfiche\Laserfiche Forms)
  3. Http Server API URL ACL
    • netsh http add urlacl url=http://+:8169/Design_Time_Addresses/RoutingEngineServiceLib/Service1 user=domain\user
    • netsh http add urlacl url=http://+:8737/Design_Time_Addresses/FormExportServiceLib/Service1 user=domain\user
    • netsh http add urlacl url=http://+:8733/Design_Time_Addresses/AutoTriggerServiceLib/Service1 user=domain\user
  4. Registry:
    • HKLM\System\CurrentControlSet\Services\WinSock2\Parameters FULL
    • HKLM\Software\Microsoft\SystemCertificates FULL
    • HKLM\Software\Microsoft\Enterprise Certificates FULL
    • HKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\CA FULL
    • HKLM\System\CurrentControlSet\services\eventlog FULL
2 0
replied on November 13, 2015

Hi Damon,
The only directory that the Forms account should need access to in the local file system is C:\Program Files\Laserfiche\Laserfiche Forms
Best,
Kevin

0 0
replied on December 29, 2015

Hi,

I created a service account for forms routing service specifically. 

I gave this account full NTFS permissions to C:\Program Files\Laserfiche\Laserfiche Forms

However, when I try to start the service I get, "Error 1067: The process terminated unexpectedly."

Has anyone run into this?

0 0
replied on February 5, 2016

Daniel, 

You're most likely getting this because NTFS permissions to that program files\laserfiche\laserfiche forms directory isn't the only access required.  Review my earlier post which details additional access the user account requires. 

For example, the HTTP Server API URL ACL rights... to explain, the Laserfiche Forms Routing Service leverages the HTTP Server API to handle it's communications over HTTP (Laserfiche Repository Server does as well, and as such requires similar rights if you're running under a least privileged installation like this). 

So when the Forms Routing Service spins up, it registers the URLs (noted in my previous post) with the HTTP Server,... this tells the HTTP Server (the httpsys kernel mode driver) to route requests destined to those URLs over to the Forms Routing Service... and the remainder get routed over to your IIS Web Server.  In this fashion, HTTP Server is extended to provide services to not only the IIS Web Service, but any other application (like the Forms Routing Service) that reserves a given URL with the HTTP Server. 

But in order for an application to reserve a URL like this, the service account under which it's running must be granted rights to reserve that URL.  That's what you're doing with step 3 of my previous post, you're updating the rights for your service account to be able to reserve/register the necessary URLs with the HTTP Server, so those requests will get routed to Forms instead of IIS Web Server. 

You're getting the error because the user account hasn't been granted that access, so with the Forms Routing Service spins up and tries to reserve/register those URLs, it fails, and the service shuts down if it can't do this.  There are details on this in the application event log, because that's where I found the exact URLs that Forms Routing Service needed to reserve/register. 

Most folks run it under local system, or they drop their service account in the local admin group, which would have these rights natively, but it's not secure.  So if you're limiting rights to your service account identity, you'll need to add the rights noted in my previous post. 

0 0
You are not allowed to follow up in this post.

Sign in to reply to this post.

Details
Related Posts
Loading ...