AMPDatastore Windows ACL

  • 121 Views
  • Last Post 11 February 2019
Flussburrito posted this 09 February 2019

HI,

I am confused how the Installer/ADS Service are setting the ACL on the windows folders used by the ADS Service:

  1. AMP-Datastore is owned by SYSTEM
  2. instances.json is owned by Administrators (missing owner or Network Service)
  3. ADS Service runs under Network Service

This ends up in ADS-Service not being able to change the instances.json, because Network Service is neither owner or administrator.

To rely on the *owner might not be good idea and running a service as Network Service* that evolves over time (creating new folders and ip bindings), can be tricky. This is well documented for IIS, where you have a special users IIS_IUSRS etc. to deal with access rights / security.

Order By: Standard | Newest | Votes
Mike posted this 11 February 2019

The ACL ends up kind of weird because of the way people keep using the built in "Administrator" user to run the instance manager and tools. If you do this against the advice of the installation guide then you'll need to change the permissions such that network service has full read-write access to the datastore manifest.

Also ADS cannot start/manage service instances, only ADS itself should run as a service.

Flussburrito posted this 11 February 2019

Thats what I am doing, seperate User (member of administrator) installing AMP, ist still resulting in the permissions described.

network service is only relevant in a activedirectory evironment anyway.

I believe thats why most people prefer to create Services with nssm and a dedicated service User.

Mike posted this 11 February 2019

NETWORK SERVICE is used because it has a reduced permissions set. AMP aggressively drops permissions wherever possible and the network service user is a good way to do this. There is some experimental code in AMP for creating service-specific users but it has issues in non-domain environments.

Flussburrito posted this 11 February 2019

I have done more testing, this time I installed everything in a win 10 VM, works flawless, even with Administrator user, No difference.

My Problems surfaced on a local 2016 GUI Server before, is there anything different If no virtualization environment ist detected ?

Close