You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by CE <bc...@gmail.com> on 2015/05/14 20:55:40 UTC
[users@httpd] Why is "Act As Part of the Operating System" needed for Apache on Windows?
Hi Everyone,
This is my first time here, so if I'm doing this wrong please correct me so
that I learn. (Be gentle.)
I have a question about running Apache httpd 2.4.x on Windows Server 2008
R2. I searched everywhere online for an answer and read the manuals, but
the most info I got was that someone posed this question here 11 years ago
and there was no reply. (Copied below.)
The Apache 2.4 documentation recommends creating a new user for httpd that
has "Log on as a service" AND "Act as part of the operating system" rights.
My question is, why is "act as part of the operating system" needed? It is
a very high risk permission.
I ran Apache without this right and it seems to work fine. What feature
needs it? I don't want the server to suddenly fail on me, but I also don't
understand why it is "required." Help?
---- MORE DETAIL, IF YOU WANT --------
The "Act as part of the operating system" permission is a high risk
permission. Programs with this access can impersonate any user on the
entire computer, thereby getting full access to any file. It is basically
the Windows equivalent of root.
My concern here is that setting read/write/execute permissions for the
Apache user is effectively meaningless because of that capability. And more
importantly, should the server get compromised for any reason (e.g., a
client somehow convincing the httpd service to execute harmful code due to
a configuration mistake), the attacker would be able to do literally
anything if they impersonate as an Administrator.
On Linux, Apache runs a service to bind to port 80 (or whichever) as root,
but the web-serving sub-processes run as limited users, so this isn't an
issue there. On IIS, the sites run as site specific users ("application
pool" users), so even if the server/site is compromised, the attacker has
no permissions to do anything beyond affect the specific site files.
On Apache for Windows, it seems that the whole thing is run under the
equivalent of root. I'm nervous do that. In fact, Microsoft specifically
recommends AGAINST providing "Act as part of the operating system" to any
users.
Apache recommending a new user with the permission:
https://httpd.apache.org/docs/2.4/platform/windows.html
Microsoft recommending against it:
https://msdn.microsoft.com/en-us/subscriptions/dn221957(v=ws.10).aspx
------- EMAIL I FOUND IN THE ARCHIVES THAT WAS NEVER ANSWERED ----
(Can be seen online here:
http://httpd.markmail.org/search/?q=%22act+as+part+of+the+operating+system%22+why#query:%22act%20as%20part%20of%20the%20operating%20system%22%20why+page:1+mid:v3nkvtddxoumjaoo+state:results
)
Jan 12, 2004
Hey everyone,
Have a question about the "User rights assignment" in windows. In the
apache docs they recommend (when running apache as a service) to create a
new user account for the apache service and to grant this new user "Log on
as a service and Act as part of the operating system" priviledges. Our
apache test server seems to run fine without "Act as part of the operating
system". Why is this right needed? It seems to be more than necessary.
Maybe we have the module that needs this right disabled. Can anyone see any
reason to enable this right?
Here is the apache doc that talks about this
http://httpd.apache.org/docs-2.0/platform/windows.html#winsvc
Here is the Microsoft description of *Act as part of the operating system*
>
> http://www.microsoft.com/technet/treeview/default.asp?url=/technet/prodtechnol/winxppro/proddocs/525.asp
>
> Thanks, Ryan
> *Ryan Johnson Security Architect ESP Group *
[users@httpd] Re: Why is "Act As Part of the Operating System" needed for Apache on Windows?
Posted by CE <bc...@gmail.com>.
No takers? Somebody here must use Apache on windows...
On Thu, May 14, 2015 at 2:55 PM CE <bc...@gmail.com> wrote:
> Hi Everyone,
>
> This is my first time here, so if I'm doing this wrong please correct me
> so that I learn. (Be gentle.)
>
> I have a question about running Apache httpd 2.4.x on Windows Server 2008
> R2. I searched everywhere online for an answer and read the manuals, but
> the most info I got was that someone posed this question here 11 years ago
> and there was no reply. (Copied below.)
>
>
> The Apache 2.4 documentation recommends creating a new user for httpd that
> has "Log on as a service" AND "Act as part of the operating system" rights.
>
> My question is, why is "act as part of the operating system" needed? It is
> a very high risk permission.
>
> I ran Apache without this right and it seems to work fine. What feature
> needs it? I don't want the server to suddenly fail on me, but I also don't
> understand why it is "required." Help?
>
>
>
> ---- MORE DETAIL, IF YOU WANT --------
>
> The "Act as part of the operating system" permission is a high risk
> permission. Programs with this access can impersonate any user on the
> entire computer, thereby getting full access to any file. It is basically
> the Windows equivalent of root.
>
> My concern here is that setting read/write/execute permissions for the
> Apache user is effectively meaningless because of that capability. And more
> importantly, should the server get compromised for any reason (e.g., a
> client somehow convincing the httpd service to execute harmful code due to
> a configuration mistake), the attacker would be able to do literally
> anything if they impersonate as an Administrator.
>
> On Linux, Apache runs a service to bind to port 80 (or whichever) as root,
> but the web-serving sub-processes run as limited users, so this isn't an
> issue there. On IIS, the sites run as site specific users ("application
> pool" users), so even if the server/site is compromised, the attacker has
> no permissions to do anything beyond affect the specific site files.
>
> On Apache for Windows, it seems that the whole thing is run under the
> equivalent of root. I'm nervous do that. In fact, Microsoft specifically
> recommends AGAINST providing "Act as part of the operating system" to any
> users.
>
> Apache recommending a new user with the permission:
> https://httpd.apache.org/docs/2.4/platform/windows.html
>
> Microsoft recommending against it:
> https://msdn.microsoft.com/en-us/subscriptions/dn221957(v=ws.10).aspx
>
>
>
> ------- EMAIL I FOUND IN THE ARCHIVES THAT WAS NEVER ANSWERED ----
>
> (Can be seen online here:
> http://httpd.markmail.org/search/?q=%22act+as+part+of+the+operating+system%22+why#query:%22act%20as%20part%20of%20the%20operating%20system%22%20why+page:1+mid:v3nkvtddxoumjaoo+state:results
> )
>
> Jan 12, 2004
>
>
> Hey everyone,
>
> Have a question about the "User rights assignment" in windows. In the
> apache docs they recommend (when running apache as a service) to create a
> new user account for the apache service and to grant this new user "Log on
> as a service and Act as part of the operating system" priviledges. Our
> apache test server seems to run fine without "Act as part of the operating
> system". Why is this right needed? It seems to be more than necessary.
> Maybe we have the module that needs this right disabled. Can anyone see any
> reason to enable this right?
>
> Here is the apache doc that talks about this
> http://httpd.apache.org/docs-2.0/platform/windows.html#winsvc
>
> Here is the Microsoft description of *Act as part of the operating system*
>>
>> http://www.microsoft.com/technet/treeview/default.asp?url=/technet/prodtechnol/winxppro/proddocs/525.asp
>>
>> Thanks, Ryan
>> *Ryan Johnson Security Architect ESP Group *
>
>