Solved

Any reason not to grant a domain computer account shared folder permission on another server?

Posted on 2011-09-08
4
414 Views
Last Modified: 2012-06-22
We have a few web servers in a DMZ that need to access files on a single file server share in the inside network.  Currently we use a domain account (call it webshare) which is what the web services use when they need to access a file on the inside share.  One of the developers asked if we could add the web server's domain computer account to the share, as it would be easer for the application developers not to have to impersonate a user accouint when they need to access those files.  Note that the webshare account has local admin rights on the web server, but no domain rights other then that one share on one file server.

This is a single windows domain and 2008 servers we're talking about, fyi.

Any reason why using the computer account instead of a domain account would be better/safer or less secure the the current method?  Or basically the same?

Thanks
0
Comment
Question by:mchad65
  • 2
  • 2
4 Comments
 
LVL 40

Accepted Solution

by:
Kyle Abrahams earned 500 total points
ID: 36503559
If the server was ever compromised (eg: hacked), the computer could then write files to your file share bypassing security.  It would then just take someone to execute that file and now you have a someone on your internal network.

In general you never want any traffic going across your DMZ to your internal network.  If you need to get files into the network, you should actually write them to your DMZ (behind another firewall) and let the internal users pull them the same way the external users do.


0
 

Author Comment

by:mchad65
ID: 36503606
Understand your point re: network security, and we have taken appropriate steps.  Certainly one wouldn't put a SQL server in a DMZ, and web servers often need to talk to SQL.  Clearly I am not revealing the full details of our internal network security architecture in a public forum.

Network security aside, back to the original question, is there any more or less inherent risk in using a computer account for share permissions vs. a domain user account?

Thanks
0
 
LVL 40

Expert Comment

by:Kyle Abrahams
ID: 36503658
anyone who gets onto the computer could use the fileshare vs only that one account.  

So you're opening up the gate a bit.  

Also from an administration side say you scale out the website to multiple computers.  Using 1 windows account they could all write to the share.  Otherwise you would need to add each computer where the application was running to the share.  

Which breeds another question:  Do you have other applications running on any of the servers that shouldn't have access to the share?

IMO I would tell the developer to suck it up and impersonate with the user account.

0
 

Author Comment

by:mchad65
ID: 36503817
I am leaning towards keeping it as is, i just wanted another opinion.  The share exist solely for storing pdf's the users of the sites need to download.  Pretty much each site has a need to access. There may be the odd app that doesn't need access, but the majority do.  

I think I agree with your last.  Thanks.
0

Featured Post

Best Practices: Disaster Recovery Testing

Besides backup, any IT division should have a disaster recovery plan. You will find a few tips below relating to the development of such a plan and to what issues one should pay special attention in the course of backup planning.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you don't have the right permissions set for your WordPress location in IIS, you won't be able to perform automatic updates. Here's how to fix the problem.
New Windows 7 Installations take days for Windows-Updates to show up and install. This can easily be fixed. I have finally decided to write an article because this seems to get asked several times a day lately. This Article and the Links apply to…
This tutorial will walk an individual through locating and launching the BEUtility application to properly change the service account username and\or password in situation where it may be necessary or where the password has been inadvertently change…
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …

896 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now